a Bif. ioft-4e9 

CYBER AmCK: IS lUE GOVERNMEVT SAFE? 


HEARING 

BEFORE THE 

COMMITTEE ON 
GOVERNMENTAL AFFAIRS 
UNITED STATES SENATE 

ONE HUNDRED SDCTH CONGRESS 

SECOND SESSION 

MAUCH 2, 2000 


Piloted for the uee of the Committee on Governmental Afiaire 



U.8. GOVERNMENT PRINTING OFFICE 

ea-eaooe Washington : aooo 


For fttle by the U.S. Govemmeot Printing Office 
Superinieodeot of Documents, Congressionil Saks Office, Washington, DC 20402 

ISBN 0-16’060743-4 


54 - 01 ’-^ 0 





COMMITTEE ON GOVERNMENTAL AFFAIRS 


FRED THOMPSON, Tenneaiy, Chairman 


WILLIAM V. ROTH, Jr, Dclawan 
TED STEVENS, Aluka 
SUSAN M. COLLINS, Maine 
GEORGE V. VOINOVICH, Ohio 
PETE V. DOMENICI, New Mexioo 
THAD COCHRAN, Mieeieeippi 
ARLEN SPECTER, Penneylvenia 
JUDD GREGG, New Hampehire 


JOSEPH I. LIEBERMAN, ConnecUcut 
CARL LEVIN, Michigan 
DANIEL K. AKAKA. HawaU 
RICHARD J. DURBIN, IlUnoU 
ROBERT 0. TORRICELLI, New Jeraey 
MAX CLBLAND, Georgia 
JOHN EDWARDS, North Carolina 


Hannah S. Sintaius, Staff Dinctor and Countel 
Bllkn B. Brown, Senior Couneet 
Susan 0. Marsiiaix, Profteeional Staff Member 
JOVCB A. RECinsCHATFEN, Minority Staff Director and Countel 
Deborah Cohen Lrhrich, Minority Couneel 
Darla D. Cassell, Adminietrutive Clerk 


(ID 



CONTENTS 


Opening ■tetements: 
Senator Thompeon 
Senator Liebennan 

Senator Akaka . 

Senator ColUni . 

Senator Edwards .. 


3 

6 

16 

18 


Wrrv25d 


Thursday, March 2, 2000 


Kevin Mitnick . 6 

Jack L. Brock, Jr, Director, Qovemmentwide and Defense Information Svs* 
toms. Accounting and Information Management Division, U.S. General Ac> 

counting OfQce. 21 

Roberta L. Gross, Inspector General, National Aeronautics and Space Admin¬ 
istration . 23 

Kenneth WaUon, Manager, Critical Infirastructure Protection, Cisco Systems, 

Inc. 33 

James Adams, Chief Executive Officer, Infrastructure Defense, Inc. 36 


Alphabetical List of Witnesses 


Adams, James: 

Testimony. 

Prepared statement 
Brock, Jack L., Jr: 

Testimony. 

Pr^ared statement 
Gross, Roberta L.: 

Testimony. 

Prepared statement 
Mitnick, Kevin: 

Testimony. 

Prepared statement 
Watson, Kenneth: 

Testimony. 

Prepared statement 


35 

88 

21 

56 

23 

71 

6 

47 

33 

83 


APPENDDt 

Copy of S. 1993 . 92 

Questions for the record submitted by Senator Akaka and responses from: 

Jack L. Brodc, Jr. 113 

Roberta L. Gross. 116 

Itonneth Watson. 119 


(HI) 




























CYBER ATTACK: IS THE GOVERNMENT SAFE? 


THURSDAY, MARCH 2, 2000 

U.S. Senate, 

Committee on Governmental Affairs, 

Washington, DC. 

The Committee met, pursuant to notice, at 10:06 a.n^ in room 
SD-342, Dirksen Senate Office Building, Hon. Fred Thompson, 
Chairman of the Committee, presiding. 

Present: Senators Thompson, ColUns, Lieberman, Akaka, and 
Edwards. 

OPENING STATEMENT OF CHAIRMAN THOMPSON 

Chairman Thompson. The Committee will be in order, please. I 
am afraid we are going to have a vote. I guess it is on right now, 
so we will have to leave momentarily, but let us see if we can get 
a little something accomplished before we have to leave. 

Today, the Committee on Governmental Affairs is holding a 
hearing on the ability of the Federal Government to protect against 
and respond to potential cyber attacks. This Committee spent con¬ 
siderable time during the last Congress examining the state of Fed¬ 
eral Government Information systems. Numerous Governmental 
Affairs Committee hearings and General Accounting Office reports 
uncovered and identified systemic failures of government informa¬ 
tion systems, which highlighted our Nation’s vulnerability to com¬ 
puter attacks from international and domestic terrorists, to crime 
rings, to everyd^ hackers. 

We directed GAO to study computer security vulnerabilities at 
several Federal agencies, including the Intemm Revenue Service, 
the State Department, the Federal Aviation Administration, the 
Social Security Administration, and the Department of Veterans’ 
Affairs. From these and other numerous rej^rts, we learned that 
our Nation’s underl^g information infrastructure is riddled with 
vulnerabilities which represent severe security flaws and risks to 
our national security, public safety, and personal privacy. 

Every year, the government gathers information on every one of 
us because we give the government this information in order to ob¬ 
tain government services, like getting Social Security benefits, vet¬ 
erans benefits. Medicare, or paying taxes, and yet, year after year, 
this Committee continues to receive reports detailing security 
breaches at these same agencies. Sometimes these tilings improve. 
Agencies usually will respond to specific GAO recommendations or 
to a particular Inspector General report. But this is a band-aid ap¬ 
proach to protecting information systems, that is, fixing Uie system 

( 1 ) 



2 

little by little, problem by problem after it is revealed that it is no 
lon^r secure. 

What is most alarming to mo is that after all this time and all 
these reports, there is still no organization-wide approach to pre¬ 
venting cvber attacks and the security program management is to¬ 
tally inadequate. I am afraid it is another example of now difficult 
it is to get ihe Federal bureaucracy to move even in an area as im¬ 
portant as this. 

Those reports highlight that an underl^g cause of Federal in¬ 
formation security vulnerabilities is inadequate security program 
planning and management. When GAO studied the management • 
practices of eight organizations known for their superior security 
programs. GAu found that these organizations manage information 
security through continuous management activities, which included 
specific practices to support their information security principles. • 

We think this is lacking in the Federal Government. 

And we think agencnes must do more than establish programs 
and set management goals. Agencies and the people responsible for 
information systems in those agencies must be held accountable for 
their action^ and I believe that Congress should examine how we 
can provide assistance to the agencies to ensure that they have the 
resources necessary to maintain information technology security 
preparedness at all times. 

It is clear to me, based on GAO report after GAO report, that 
what needs to emerge in government is a coordinated and com¬ 
prehensive management approach to protecting information which 
incorporates the efforts already underway and takes advantage of 
the extended amount of evidence that we have gathered over the 
years. The objective of such an approach should be to encourage 
agency improvement efforts and measure their effectiveness 
through an appropriate level of oversight. 

In order to develop such an approach and begin to find solutions 
to the problems which have been identified, we concluded that a 
more complete statutory foundation for improvement is needed. 

That is why Senator Lieberman and I introduced S. 1993, the Gov¬ 
ernment Imormation Security Act, at the end of last year. The pri¬ 
mary objective of our bill is to address the management challenges 
associated with operating in the current interdependent computing 
environment. 

Our bill b^ns where the Paperwork Reduction Act of 1996 and 
the Clinger-Cohen Act of 1996 left off. These laws and the Com- • 
puter Security Act of 1987 provide the basic framework for man¬ 
aging information security. We recognize that these are not the 
only things that need to be done. Some have suggested we provide 
specific standards in the legislation. Others have recommended we • 
establish a new position of a national chief information officer or 
even a national security czar. These things should be considered 
and these issues and more will be brought up during our hearing 
today. 

The witnesses before us represent a broad array of experience 
and expertise in the area of information securiW. First, we have 
Kevin Mitnick, who has described himself as a reformed hacker. 

Next, we will hear from Jack Brock, who is the Director of Gov- 
emmentwide and Defense Information Systems at GAO, and Ro- 



3 


berta Gross, Inspector General for NASA. Both of them have done 
supuTlcant work in the area of Government information security. 

we will also hear from I&n Watson, who is the Manager of Crit¬ 
ical Infrastructure Protection at Cisco Systems, Inc., and James 
Adams, the CEO and co-founder of iDEFENSE. 

I welcome all of you and look forward to your testimony about 
the cyber th. eats that we face today and how wo can work together 
to fashion solutions to the many problems associated with com¬ 
puter security. 

Senator Lieberman. 

OPENING STATEMENT OP SENATOR LIEBERMAN 

Senator Lieberman. Thank you very much, Mr. Chairman. 
Thanks for calling this hearing on a topic of enormous concern to 
all of us. The security of our mgital information is something that 
affects every one of us on a daily basis and should be taken as seri¬ 
ously as the security of our property, of our neighborhoods, of our 
communities, of our Nation, and in the worst case, as seriously as 
the security of our lives. 

The reach of the Internet and the alacrity with which it has 
achieved that reach is the story of the closing years of the 20th 
Century and the beginning of the 2 let Century. Enabled by ^e re¬ 
markable innovation in information technology, we are fast ap¬ 
proaching a time when the world will always be on, always con¬ 
nected, always open for business. It will be a fast environment 
marked by increasing efficiency and decreased cost. But it also will 
be intensely competitive and without boundaries. Almost every in¬ 
stitution wo rely on in our daily lives is feeling the effect of this 
latest technological revolution. 

Just last month, the General Services Administration’s Chief In¬ 
formation Officer, Bill Piatt, wrote something that I think all of us 
in government should keep in mind, “From the perspective of our 
bosses, the citizens, electronic government is neither an option to 
be chosen nor a mandate to be decreed. It is simply expected.” 

So the basic go^s of e-Govemment, which are the electronic de¬ 
livery of information and services, are the same as government’s 

{ foals have always been, as enumerated in our Constitution and the 
aws that we have adopted pursuant to it. But if government is 
going to be plugged into the networked world as an active perma¬ 
nent presence, we will have to protect the confidentiality, the integ¬ 
rity, and, of course, the availability of the information contained on 
government computers. 

We must be acutely aware of the ran^e and content of the infor¬ 
mation at stake here. It covers everything from the movements of 
our armed forces and the deployment of our most powerful weapons 
to accumulated data about the economy and the financial markets, 
to support for our transportation networks, to the^most private in¬ 
formation about the American people, such as tax, wage, and med¬ 
ical records. 

The information in far too many cases today is wide open to ex¬ 
ploitation, from pranksters to terrorists and every disaffected per¬ 
son in between. The fact that the GAO has labeled as “high risk” 
virtually the entire computer security system of our government is 



4 


just unacceptable. We must take action, and quickly, to get the gov¬ 
ernment’s computer security systems off of the high-risk watch list. 

Last year. Senator Thompson and I, and this Committee, looked 
into what went wrong in the Federal investigation of Dr. Wen Ho 
Lee, the former Los ^amos nuclear laboratory srientist who is 
charged with downloading classihed information to an unclassified 
comi}uter. Mr. Lee has been indicted now. The Justice Department 
is still investigating other areas and, of course, his guilt or inno¬ 
cence is yet to be determined. But the case should focus everyone’s 
attention on the vulnerability that comes with reliance on com- 

E uters. So, too, should the more recent revelations of former CIA 
lirector John Deutch, who maintained sensitive information on his 
home computer. 

The hacVing of government sites, including those at the Senate, 
the FBI, the White House, Interior, and the iJepartment of Defense 
is actually becoming a near daily occurrence, and I would not be 
surprised if scores of other ^fovernment sites have also been in¬ 
vaded. But the truth is, we will never know because monitoring in¬ 
trusions, much less reporting them, is not required. 

There are many reasons Federal computer-based information is 
inadequately protected, but the underlying problem, according to 
GAO, who we will hear from this morning, is poor management. In 
some cases, this is a cultural problem. Our concentration on secu¬ 
rity simply has not grown at the same pace as our reliance on com¬ 
puters. That is why the Government Information Security Act of 
1999, which Chairman Thompson and I have introduced, is a be- 
mnning step toward correcting this fundamental shortcoming. The 
bill would put every government agency on notice that it must im¬ 
plement a computer security plan which will be subject to annual 
independent audits, report unauthorized intrusions, and provide se¬ 
curity awareness training for all its workers. 

There are a number of areas we have not addressed in our bill 
yet and we will be asking for input on how best to handle them. 
For example, the government needs to increase dramatically the 
number of trained information security professionals. In that re¬ 
gard, I am intrigued by President Clinton’s proposal for a Federal 
Cyberservice at universities based on the ROtC model, and we 
need incentives for universities to train more people in this area. 

We also need to consider what to do to keep the government in¬ 
formed of technological changes in computer security so we do not 
fall behind. The President’s proposal to establish a National Insti¬ 
tute for Infrastructure Protection sounds like a good idea if it pro¬ 
vides assistance with R&D and technical support. 

Mr. Chairman, I am hopeful that the proposal that you and I 
have made will stimulate simificant debate and early action. Our 
bill is a work in progress. I know that we anticipate hearing from 
a broad range of interested parties. We have got to particularly lis¬ 
ten to those in private industry who have made, I think, much 
more headway than we in the public sector have in protecting the 
security of computer-based information, because we do not need to 
reinvent the wheel here, a very high-tech wheel. We need to share 
experiences and exchange ideas to Team what works best. 

I think we have put together a very interestin|[ CToup of wit¬ 
nesses today. I look forward to their testimony, wmch I know will 




6 


help U8 craft the best possible legislation to secure the govern¬ 
ment’s vast and important treasury of information. Thank you very 
much. 

Chairman Thompson. Thank you very much. 

We ore down to a minute or 2 on the vote, so we will recess for 
a few minutes to vote. 

[Recess.] 

Chairman Thompson. Let us go back into session. 

Senator Akaka, did you have a statement. 

• OPENING STATEMENT OF SENATOR AKAKA 

Senator Akaka. Thank you veiy much, Mr. Chairman. Thank 
you for scheduling this hearing. I have a longer statement, Mr. 

• Chairman. I will ask that my longer statement be made part of the 
record. 

Chairman Thompson. It will be a part of the record. 

Senator Akaka. I just have a few points to make, three of them, 
to be exact. First, computer hacking has gone beyond the stage of 
being mischief making. Too much money is being lost. Hacking is 
a crime, but it has also become an act of international aggression. 
Last year, there were more than 20,000 cyber attacks on Defense 
D^artment networks alone. 

Second, current technology has so far failed to provide adequate 
safeguards for critical infrastructure networks. We have little abil¬ 
ity to detect or to recognize a cyber attack and even less capability 
to react. 

Third, the F’resident has unveiled his national plan for informa¬ 
tion systems protection. This, I feel, is a good proposal and de¬ 
serves the immediate support of Congress. 

Again, Mr. Chairman, my thanks to you. The legislation you 
have introduced on this subject, S. 1993, is something that we need 
to address immediately, and the Government Information Security 
Act is an important contribution. I look forward to today's discus¬ 
sion. Thank you, Mr. Chairman. 

Chairman Thompson. Thank you very much. 

[The prepared statement of Senator Akaka follows:] 

PREPARED STATEMENT OF SENATOR AKAKA 

Thank you, Mr. Chairman and Senator Lieberman, for providing the opportunity 

• to diacuaa cybereecurify. In this new age of information warfare, no issue is of more 
vital importance to our security. 

A cyber attack against our national information infrastructure would affect the 
/ integrity of our telecommunications, energy, banking and finances, transportation, 
water systems, and emen^n^ services. As the Ranking Member of the Sub- 

• committee on IntemaUonar Se(^ty, Proliferation, and Federal Services, I applaud 
all efforts to call attention to this issue. It is one in which the Subcommittee has 
also been involved. The Chairman and Ranking Member deserve great credit for the 
effort that they have made to heighten awareness of the threat while proposing 
methods to counter the threat. 

Computer hacking can no longer be labeled benign mischief. Once, those who 
gained unauthorizea access to government and private sector computer networks 
were heralded as technical icons, whose exploits were lionized by the popular media. 
That is not the reality any more. Now hacking is a Federal crime at the very least— 
at the worst, an international act of aggression. As Deputy Secretary of Defense 
John Hambre has stated, “We are at war—right now. We are in a «yber war." 

Total losses from tyber firaud, including loss of service, recovery, and restoration 
costs, are estimated to be in the hundreds of millions of dollars. We now know that 



6 

hoitUe oountriM have, or are developlog, the capability to engage in overt and cov¬ 
ert information warfare. 

Laat year alone there were more than 20,000 cyber attacka on Department of De- 
fenae networka alone. Aatoniahingly, we do not know who waa behind the mitjority 
of thoae attacka. 

In 1998, during a period of increaaed tenaiona with Iraq over United Nationa 
weapona inapectiona, over 600 U.S. militaiy, civilian government, and private aector 
computer avatema were attacked. What waa flrat thought to be a aophiaticated Iraqi 
pyber attack proved to be a rather unaophiaticated, yet highly effective attack by two 
Juveniles from California with the cooperation of several individuals in Israel. 

Laat month, cyber-based denial of service attacka had a dramatic and immediate 
impact on many Americana and resulted in the loss of milliona of dollars when sev¬ 
eral large e-commeroe sites were shut down for several hours. * 

Just recently a student at a major university was arrested and charged with hack¬ 
ing into Federal uovemment computers at the National Aeronautics and Space Ad¬ 
ministration (NASA) and the Department of Defense where he was able to read, de¬ 
lete. and alter protected files ana intercept and save log-in names. 

Clearly, wbercrime has become a pervasive problem. And it is getting worse. Ac- 
cording to FBI Director Louis Freeh, cybercrime is one of the fastest evolving areas 
of criminal behavior and a significant threat to our national and economic security. 

The escalation of cyberorime is rapidly overwhelming our current capability to re¬ 
spond. 

Current technology has thus far failed to provide adequate safeguards for critical 
infrastructure networka. The Internet is international, knowing no boundaries and 
no ownership. Any attempt to stifle its growth and development would be counter 
productive to the economic interests of America. A variety of easy to use sophisti¬ 
cated hacker tools are freely available on the Internet, available for use by anyone 
in the world with an inclination to mount a cyber attack. 

Today, the United States has little ability to detect or recognise a cyber attack 
against either government or private sector infrastructures ana even less capability 
to react. Nevertheless, we must, through cooperative public and private sector ef¬ 
forts, develop adequate defensive technologies to neutralize threats. Without new 
defeases, it is likely that attacks will occur with greater frequency, do more damage, 
and be more difficult to detect and counter. 

In January 2000, President Clinton unveiled his “National Plan for Information 
Systems Protection," which proposes critically needed infrastructure improvements 
with milestones for implementation. This multifaceted plan promotes an unprece¬ 
dented level of public/private cooperation, and proposes 1() programs to assess 
vulnerabilities, and significantly enhance capabilities to deter, detect, and effectively 
respond to hacking incidents. It also calls for vital research and educational en¬ 
hancements to tram adequate numbers of desperately needed information security 
specialists and sustain their perishable skills. 

Our continued leadership and prosperity in the |[)obal economy may well hinge 
on our national commitment to act as leaders in bnnging information assurance to 
the global information environment we have helped to create. I commend the Chair¬ 
man and Ranking Member for their leadership in calling attention to this particu¬ 
larly insidious problem by their introduction of S. 1993, the Government Informa¬ 
tion Security Act. I welcome our witnesses, and look forward to hearing their testi¬ 
mony today. ^ 

Chairman Thompson. Our first witness will be Kevin Mitnick. 

Mr. Mitnick, thank you for being with us here today. Please intro¬ 
duce yourself. Your full statement will be made a part of the 
record. If you could summarize that for us, we would appreciate it • 

very much. 


TESTIMONY OF KEVIN MITNICK» 

Mr. Mitnick. Great. Good morning. It is an honor to be here. I 
am glad that you value my opinion. It is interesting to note that 
the United States was my adversary in years of litigation, and de¬ 
spite that fact, I am with you here today. 


^Tha prepared eUtement of Mr. Mitnick appears in the Appendix on pa^ 47. 



7 


Chairaw Thompson. I have seen those documents several 
ttoes, Um^ Stet^ of America versus some individual. It is kind 
of inbmidatmg, is it not? 

MmnCK. It Bi^ is. Despite that, I am readv, willing, and 
able to ^sist, and t^t is why I am hero today. I have written a 
prepared statement. That way, I can just read it and hopefully will 
answer some questions. 

Hon. Chaii^rson Thompson, distinguished Senators, and Mem¬ 
bers of the Committee, my name is Kevin Mitnick. I appear before 
you t^ay to discuss your efforts to create legfislation wat will en¬ 
sure the future s^rity and reliability of information systems used 
by the Federal Government. As you know, I have submitted my 
written remarks to ^e Committee. I would like to use this time to 
emphasize some of those remarks and to introduce a few ideas that 

1 did not include in my written testimony. 

I have 20 years* experience circumventing information security 
measures and can report that I have successfully compromised all 
systems that I targeted for unauthorized access except one. I have 

2 ye^s experience as a private investigator and my responsibil¬ 
ities included finding people and their money, primarily using so¬ 
cial engineering techniques. 

Breaching information security measures is a difficult under¬ 
taking. ^ I stated in my prepared remarks, my success depended 
on exploiting weaknesses in computer systems and networlc secu- 
nty and the use of social engineering techniques. However, even 
the 8<mhisticated techniques I have exploited for 2 decades de¬ 
pended on the lack of commitment by software manufacturers to 
deliver software free of security weaknesses. 

The manufacturers of operating systems and software applica¬ 
tions are ^der enormous pressure to deliver their products to the 
market with new ^features and are unwilling to moroughly test 
their software under cunent market conditions. As a result, oper¬ 
ating systems and applicattons contain security flaws that allow 
people with the required time, money, resources, motivation, and 
persistence to exploit those weaknesses. The Federal Government 
has no control over the security weaknesses that software manufac¬ 
turers permit to reach the marketplace. Thus, it is imperative to 
enhance other security measures to overcome these shortcomings. 

The average American’s confidence in the public telephone sys¬ 
tem is misplaced. Here is why. If I decided to target a computer 
system with a dial-in modem, mv first step would be to use social 
engineering techniques to find the number of the modem. Next, I 
woiJd gain access to the telephone switch that controls the number 
assigned to the modem line.^ Using that control, I would redirect 
the modem number to a log-in simulator that would enable me to 
capture the passwords necessary to awess the target machine. This 
techmque can be performed in real time to capture d3mamic pass¬ 
words that are changed once per minute. 

All of the actions I just described would be invisible to anyone 
monitoring or auditing toe target computer security. What is im¬ 
portant here is to consider the big picture. People use insecure 
methods to verify security measures. The public’s confidence in the 
telephone system as secure is misplaced, and toe example I just de¬ 
scribed demonstrates the reason why. 


8 


The human side of computer security is easily exploited and con¬ 
stantly overlooked. Companies spend millions of dollars on fire¬ 
walls, enciTption, and secure access devices and it is money wasted 
because none of these measures address the weakest link in the se¬ 
curity chain, the people who use, administer, operate, and account 
for computer systems that contain protected information. 

It is my understanding that this Committee oversees information 
security for the Internal Revenue Servace and the Social Security 
Administration. In the United States v. Czubinski, an IRS employee 
was convicted of wire and computer fraud, the same crimes for 
which I spent 6 years in Federal prison. It is not lost on me that 
Mr. Czubinski's conviction was overturned by the First Circuit 
Court of Appeals as the court found that he never deprived the IRS 
of their property interest in the confidential information he 
accessed just to satisfy his personal curiosity, the same cir¬ 
cumstances which precisely match the crimes to which I plead 
guilty in March 1999. 

Ironically, in their publicly filed briefs, the government revealed 
the name of the computer system used by IRS enmloyees and the 
commands reportedly used by Mr. Czubinski and I^ employees in 
general to obtain confidential taxpayer information. I would like to 
bring to this Committee's attention how I successfully breached in¬ 
formation security at the IRS and the Social Security Administra¬ 
tion using social engineering techniques before 1992, which just so 
happens to be beyond the applicable statute of limitations. (Laugh- 
ter.l 

I called employees within these agencies and used social enm- 
neering to obtain the name of the target comj^ter system and tne 
commands used by agency employees to obtain protected taxpayer 
information. Once I was familiar with the agencjrs lingo, I was able 
to successfully social engineer other employees into issuing the 
commands required to obtain information for me using as a pretext 
the idea that I was a fellow employee having computer problems. 
I successfully exploited the security measures for which this Com¬ 
mittee has oversight authority. I obtained confidential information 
in the same way government employees did and I did it all without 
even touching a computer. 

Let me emphasize for the Committee the fact that these breaches 
of information security are ongoing and even as I stand before you 
today and that agency employees are being manipulated using so¬ 
cial engineering exploits despite the current policies, procedures, 
guidelines, and standards already in place at these agencies. 

S. 1993 is an important step toward protecting the confiden¬ 
tiality, integrity, and availability of critical data residing in govern¬ 
ment computer systems. However, after successfully exploiting 
similar security measures at the IRS and the Social Security Ad¬ 
ministration, as well as some of the planet’s largest technology 
companies, including Motorola, Nokia, Sun Microsystems, and 
Novell, I am concerned that enacting this law without vigorous 
monitoring and auditing accompanied by extensive user education 
and training will fall short of the Committee’s admirable goals. 

In closing, I would be happy to offer my knowledge and expertise 
to the Committee regarding methods that may be used to counter- 




9 


act the weakest link in the security chain, the human element of 
information security. That is it. Thank you. 

Chairman Thompson. Hiank you very much. That was very 
short but ve^ powerful, Mr. Mitnick. Thank you very much. 

It seems, in essence, what you are teliine us is that all of our 
systems are vulnerable, both government ana private. 

-' Mr. Mitnick. Absolutely. 


Chairman Thompson, we had the members of The LOpft hero a 
couple of years ago, some of the computer hackers, who basically 
told us the same thing. They said they could shut down the Inter¬ 
net and it was not a real problem. As I sit here and listen to you, 
you are one individual. Obviously, you are very bright, but there 
are a lot of very bright individuals out there. It makes you wonder, 
if one individual can do what you have done, what in the world 
could a foreim nation, with all the assets that they would have at 
their disposal do. 

Mr. Mitnick. It is pretty scary. 

Chaiman Thompson. The point, and I think it is one that you 
make, is that we really do not know -to what extent we already 
have been compromised, and the fact that we do not know or that 
other people or entities have not taken advantage of that or done 
sometning bad to us yet does not mean that we have not already 
been compromised in some way, is that not true? 

Mr. Mitnick. It is a possibility. 

Chairm^ Thompson. You also point out that the key to all of 
this, we sit here and think of systems and programs and all, but 
you point out the key is personnel, that that is the weakest link. 
No matter what kind of system you have, unless 3 'ou have per¬ 
sonnel that are adequately trained, adequately motivated—can you 
explain the importance of the personnel aspect to this and what 
you think we might be able to do about it? 

Mr. Mitnick. In my experience, when I would try to get into 
these systems, the first line of attack would be what I call a social 
enmneering ai^ck, which really means trying to manipulate some¬ 
body over me phone through deception. I was so successful in that 
line of attack that I rarely had to go towards a technical attack. 
I believe that the government employees and people in the private 
sector, that their level of awareness has to be—^you have to do 
something to raise their level of awareness that they could be the 
victim of some sort of scam over the telephone. 

What I might suggest is maybe a videotape be made that would 
demonstrate somebody being manipulated over the phone and the 
types of pretexts and ruses that are used and maybe that will 
make somebody think the next time they get a phone call. The 
problem is, people do what they call information mining, is where 
you call several people within an organization and you basically 
ask questions that appear to be innocuous, but it is really intended 
to gain intelligence. 

For instance, a vendor might call a company and ask them what 
software, what are you currently using, wnat computer systems do 
you have, to sell them a particular product, because they need to 
know that information, but the intent of the caller might be to gain 
intelligence to try to target their computer systems. 




10 


So I really have a firm belief that there has to be extensive train* 
ing and education to educate the users and the people who admin¬ 
ister and ^ these computer systems that they can be victims of 
manipulation over the telephone, because like I said in my pre¬ 
pared statement, companies could spend millions of dollars towards 
technological protections and that is money wasted if somebody 
could basically call somebody on the telephone and either convince 
them to do something on the computer wnich lowers ^e computer's 
defenses or reveals the information that they are seeking. 

Chairman Thompson. So you can compromise a target without 
ever even using the computer? • 

Mr. Mitnick. Yes. For example, personally, with Motorola, I was 
working at a law firm in Denver and I left work that day and just 
on an impulse, I used m^ cellular telephone and called Motorola, 
their 800 number, and without getting into details of how this, be- • 

cause of the time constraints, is by the time I left work and by the 
time I walked home, which was about a 20-minute period, 15- to 
20-minute period, without any planning or anything, I was able to, 
by the time I walked to the front door, I had the source code to the 
firmware which controlled the Motorola Ultralight telephone sitting 
on a server in Colorado. Just by simply making pretext telephone 
calls within that 15- to 20-minute period, I had the software. l con¬ 
vinced somebody at Motorola to send the software to a particular 
server. 

Chairman Thompson. So this has to do with personnel, it has to 
do with training within a larger umbrella of management. 

Mr. Mitnick. Absolutely, and I think the management has to be 
from top down, and the whole idea here is to protect the informa¬ 
tion regardless of whether it resides on a computer system or not, 
because whether or not this information is printed on a printout or 
is sitting on a floppy disk, it is still information which you want 
to protect against any type of confidentiality breach and the integ¬ 
rity of the information from being modified or destroyed. 

Chairman Thompson. These are the things we are trying to ad¬ 
dress in our bill. 

Mr. Mitnick. Yes, I read the bill. 

Chairman Thompson. We appreciate your comments on that. 

One of the questions we are going to have to deal with is whether 
or not we ought to be more specific in terms of training, for exam¬ 
ple. 

Mr. Mitnick. I think you should be, because- • 

Chairman Thompson. We vest the responsibility, but we kind of 
end it there and leave it up to the agencies to take it from there, 
but some have suggested that we mi^t be more specific and more 
precise in exactly what kind of training we ought to have. ' 

Mr. Mitnick. Yes, I think that is important because I am not 
privy to this information, but I assume tfiat there are policies, pro¬ 
cedures, guidelines, and standards in effect for protecting informa¬ 
tion at these agencies, just by protecting the information without 
regard to the computer systems. I think by explaining my back¬ 
ground and experience with the _Committee today that you can see 
that those policies and procedures were easily circumvented. 

So what the Committee has to—I guess what has to be done is 
there has to be a way to figure out what the Federal Government 



11 


could do to protect its information, and just enacting a law or poli> 
dea and procedures may not be effective. I do not know. I think it 
really depends on really training the systems administration staff, 
management, and the people who use, administer, and have access 
to the information about all the different methodologies that could 
bo used to breach computer security, which is not only just the 
human element. You have physical security, you have network se¬ 
curity, and you have security of computer systems. So it is a very 
complex issue, so you have to be able to get people on board that 
would know how to protect each different area. 

Chairman Thompson. We are not interested in another overlay 
of statutory reouirements, and you are right, there are plenty of 
laws on the books that have to do with information systems in gen¬ 
eral. Technolo^ has changed and the government has not changed 
with it, and what we have discovered is that although wo have a 
lot of laws on the books, there is no comprehensive management 
scheme out there. There is no way to measure and evaluate the ef¬ 
fectiveness of what anybody is doing. We will have a GAO witness 
here in a little while and we will go over the fact that for a few 
years now, wo keep bein^ told that government is ineffective. It is 
not working It is not doing the job. So we go back and Congress 
does more. So that is what we are trying to oo here and your testi¬ 
mony is very helpful. 

We have other Senators here, so I will pass. Senator Lieberman. 

Senator Lieberman. Thanks, Mr. Chairman. 

Mr. Mitnick. Can I make a comment? 

Chairman Thompson. Yes. 

Mr. Mitnick. And, by the w^, private investigators and infor¬ 
mation brokers today obtain conndential taxpayer information from 
Social Security and the IRS and they are doing it as we speak. You 
can go to anyprivate investigator and hire them to do this. 

Chairman Ttiompson. Wo nave had testimony to that effect. 

Mr. Mitnick. So obviously it is somebody who has access to the 
computer either ille|;itimately or somebody that is taking payola to 
reveal this information that is within the agency. 

Chairman Thompson. Thank you. - 

Senator Lieberman. Thanks. Mr. Mitnick, thanks for your testi¬ 
mony. You have been very illuminating and helpful. My staff lifted 
up some clips in preparation and one of them described you as "ar- 
^ably the most notorious computer hacker in the world.^’ I thought 
I would ask you if you would be comfortable, as we confront tnis 
problem, helping us to answer the question of “why?” 

I mean, in one sense, the “why” of a certain number of people, 
national certainly in security areas is clear, if a Toreign govern¬ 
ment, such as the Serbs during the Kosovo conflict, or some sub¬ 
national group of terrorists tries to break into our computer sys¬ 
tems, that is a pret^ clear “why.” 

But this is not like most crime waves. To a certain extent, as I 
read about your story and hear about others in the kind of daily 
breaking of government computer systems, it seems to me that 
there is a different sort of motivation. In some sense, it almost 
seems to be the challenge of it. If you would, just talk about why 
you, or if you want to third personalize it, why people generally be¬ 
come hackers. 



12 


Mr. Mitnick. Well, the definition of t^e word hacker, it has been 
widely distorted by Uie media, but why I engage in hacking activ¬ 
ity, my hacking activity actually was—my motivation was the 

a uest for knowledge, the intellectual challenge, the thrill, and also 
le escape from reality, kind of like somebody who chooses to gam¬ 
ble to block out things that they would rather not think about. 

My hacking involved pretty much exploring computer systems 
and obtaining access to tne source code of telecommunications sys¬ 
tems and computer operating systems because what my goal was 
was to learn all I can about security vulnerabilities within these 
systems. My goal was not to cause any harm. It was not to profit 
in any way. I never made a red cent Rom doing this activity, and 
I acknowledge that breaking into computers is wrong and we all 
know that, f consider myself a trespasser and my motivation was 
more of—I felt like an explorer on these computer systems and I 
was trying—it was not really towards any end. 

What I would do is I would try to obtain information on security 
vulnerabilities that would give me ^eater ability at accessing com¬ 
puters and accessing telecommunications systems, because ever 
since I was a young ooy, I was fascinated with communications. I 
started with C5B radio, ham radio, and eventually went into com¬ 
puters and I was just fascinated with it. And back then, when I 
was in school, computer hacking was encouraged. It was an encour¬ 
aged activity. 

Senator Lieberman. Who encouraged it? 

Mr. Mitnick. In school. In fact, f remember one of the projects 
my teacher gave me was writing a log4n simulator. A log-in simu¬ 
lator is a program to trick some unknowing user into providing 

their user name and password, and of course, I got an A- 

(Laughter.! 

But it was encouraged back then. We are talking about the 
1970s. And now, it is taboo. A lot of people in the industry today, 
like Steven Jobs and Steven Wozniak, they started out by manipu¬ 
lating the phone system and I think even went to the point of sell¬ 
ing Inue boxes on Berkeley’s campus, and they are well recognized 
as computer entrepreneurs. They were the founders of Apple Com¬ 
puter. 

Senator Lieberman. Yes. The fork in the road went in different 
directions in their case. 

Mr. Mitnick. Just slightly. [Laughter.] 

Senator Lieberman. Well, maybe there is still time. You are 
young, so there is still time. 

Your answer is very illuminating again. Part of what you are 
saying struck me, which is unlike other forms of trespass or crime, 
you did not profit at all. 

Mr. Mitnick. I did not make a single dime, but that is not to 
say—one of the methods how I would try to avoid detection and 
being traced was to use illegitimate cellular phone numbers and 
elec^onic serial numbers to mask my location. 

Senator Lieberman. Right. 

Mr. Mitnick. I did not use this to avoid the cost of making a 
phone call, because most of the phone calls were local. I could have 
picked up a phone at home and it would have been a flat rate call. 



13 


I did it to avoid detection, but at the same time, it was cellular 
phone fraud because I was using airtime without paying for it. 

Senator Lieberman. Were you aware as you went through this 
pattern of behavior that you were violating the law? 

Mr. Mitnick. Oh, of course, yes. 

Senator Lieberman. You were? Were you encouraged or at least 
not deterred by the fact that you had some confidence that there 
were few or no consequences attached to it? There are cases where 
people know that they are doing something illegal, but they think 
that the prospects of oeing apprehended and charged are so slight 
» that they go forward nonemefess. 

Mr. Mitnick. Well, that is true, because as you are doing some 
illegal activity, you are not doing a cost-benefit analysis—well, at 
least I was not doing a cost-benefit analysis. I did not think of the 
• consequences when I was engaging in this behavior. I just did it, 

but I was not thinking about, well, if I were to get caught, I would 
have these consequences. It was just focusing on the activity at 
hand and just doing it. 

Senator Lieberman. Because of what you described before as the 
thrill of it or the challenge of it, the adventure. 

Mr. Mitnick. It was quest for knowledge, it was the thrill, and 
it was the intellectual challenge, and a lot of the companies I tar¬ 
geted to get the software was simply a trophy. I would copy the 
code, store it on a computer, and go right on to the next without 
even reading the code. 

Senator Lieberman. Interesting. 

Mr. Mitnick. I mean, that is a complete different motivation of 
somebody who is really out for financial gain or a foreign country 
or a competitor trying to obtain information, like economic espio¬ 
nage, for instance. 

Senator Lieberman. Right, very different. Clearly, as a law¬ 
maker, part of why I ask these questions is because I wonder 
whether if we raise the stakes, that is to say we set up security 
systems that make detection more likely and increase penalties for 
this kind of trespass, Internet trespass, whether there is a prospect 
of deterring the next Kevin Mitnick. 

Mr. Mitnick. You are talking about enacting further crimi¬ 
nal— 

Senator Lieberman. Yes, raising the prospects that a so-called 
, hacker is going to be detected, for one, and then second, raising the 

criminal penalties for the hacking. 

Mr, Mitnick. I would encourage you to come up with a method 
of prevention and detection, and I encourage the computer industry 
^ today to look to methods to better detect intrusions and, again, ex¬ 

tensive user training and education on how to prevent the human 
exploitation. 

For instance, in my case, I was basically doing this out of the cu¬ 
riosity rather than for financial gain, and what is interesting to 
note is in that case I described in that U.S. v. Czubinski case, 
where this was an IRS agent who obtained confidential taxpayer 
information and was eventually prosecuted, his convictions were re¬ 
versed by the First Circuit Court of Appeals because what the 
court held is that Mr. Czubinski did not deprive the IRS of their 



14 


property interest in this information because he had no intent to 
use or disclose the information he obtained. 

That is the same circumstances as in my case. I was not doing 
it to use the information or disclose it to anybody. It was the tro¬ 
phy. So it is a very interesting issue of whether I really engaged 
in computer trespass or fraud, oecause fraud is where you deprive 
somebody of their money or property, and in my case, while it was 
a gross invasion of privacy, I never, in my opinion, deprived any 
of these companies of their software or used it to their detriment. 
So that is the difference in my hacking. 

Then you have people out there who are working for private in¬ 
vestigators, trying to obtain confidential information like from the 
IRS or Social Security and through State and local government 
agencies to sell. Information brokers sell it to private investigators 
who have clientele that are trying to find information on people. 

Senator Lieberman. You know, I hate to suggest a waste of your 
talent, but as I listen to you, I think you would make a great law¬ 
yer. (Laughter.! 

Mr. Mitnick. Well, I do not know if you a^’o convicted of a felony, 
if they would allow you to be admitted to the bar. 

Senator Lieberman. That is harder to do. [Laughter.] 

Let me ask you just a few more questions. 

Mr. Mitnick. Maybe I could get a Presidential pardon. 

Senator Lieberman. Yes. Maybe we will come back. 

Chairman Thompson. We have a lot of criminal lawyers around 
here. 

Senator Lieberman. Yes, we do. [Laughter.] 

Chairman Thompson. Nothing personal. 

Senator Lieberman. The response of the people attending was 
much more enthusiastic than we might like. [Laughter.] 

Mr. Mitnick, building on what you have just said, obviously, you 
have been away, involuntarily, from the world of computers for a 
number of years now. I wonder if you feel that the techniques that 
you used are still useful today and whether they have retained 
their relevance in light of all the change that has occurred, and 
whether you have any sense that todays computer security sys¬ 
tems are more sophisticated than they were when you were in¬ 
volved in your haciung. 

Mr. Mitnick. Well, I can say that the social engineering or the 
exploiting the human element of computer security, I think is in 
the same state as it was 5 years ago before I went to prison. 

Senator Lieberman. Yes. 

Mr. Mitnick. However, by reading materials and magazines and 
reading advertisements, I know that the industry is building secu¬ 
rity products to try to protect information that resides on computer 
sptems. I have not had a chance to evaluate it, but it is simply 
if somebody has the resources, the time, money, and motivation, 
they can get into any computer. The only thing that the Federal 
Government and private sector can do is to reduce the threat. You 
cannot reduce it to zero—- 

Senator Lieberman. Make it harder. 

Mr. Mitnick [continuing]. You can’ only make it harder, and 
hopefully, the attacker will find it difficult that they will go to the 
next guy, just like people do at home. They put a lock on the door. 



16 


If somebody really wants to get in, they are going to go through 
a window, and you can only make it more difficult so they try to 
po to the next guy. Then if somebody is really targeted, government 
information or trying to target information in the private sector, I 
think it would be extremely difficult to prevent, and that is why 
management is so important to really encourage systems adminis¬ 
trators and the users of these computer systems, maybe to do some 
sort of rewards pronam, or if information is breached under their 
control, there should be some punishment. 

I have not really ^ven it that much thought, but for the human 
element, I think it is still in the same state, and I believe there 
have been some technological improvements, but the Internet, do 
not forget, the Internet started out as the ARPANET, which was 
pretty much academia, government agencies, and universities shar¬ 
ing information and the protocols were not developed with security 
in mind. They were developed to allow these individuals or these 
companies to share information and to co-work on projects, and 
now everybody is scrambling because of the e-commerce to build se¬ 
curity on top of a weak foundation. Maybe what should be consid¬ 
ered is building a strong foundation. 

Senator LlEBERMAN. Well said. I am struck by your emphasis on 
the human element as the weak link in this computer security 
chain and it conforms to other information we have heard that the 
so-called cultural factors, in some cases just plain negligence or in¬ 
attention by people in charge of computers, leads to most of the 
problems in securiiy that we have. 

Let me ask one last question and then yield to my collea^es. In 
the question of security, as we think about computer secunty as it 
affects our national security, we naturally think of defense. But I 
have read some material that makes, I think, the good point that 
a hostile group or Nation wanting to do harm to the United States 
might not only go after traditional defense targets but might try to 
incapacitate power grids, for instance, public utility grids or trans¬ 
portation information systems or even stock or commodities mar¬ 
kets. 

To the best of your knowledge and. experience, would you say 
that those essential but non-defense systems are probably as vul¬ 
nerable as you have described systems to be generally? 

Mr. Mitnick. Perhaps. If you have the resources of a foreign gov¬ 
ernment, what would stop a foreign government from putting 
operatives to work in the companies to develop the hardware and 
software that is utilized by these ^oups, or the power md, trans¬ 
portation, and these things of national importance, and put some 
type of back doors or some type of flaw in the operating system or 
the software applications that allows them to have access. I mean, 
they can go to those extremes and they have the resources to do 
it. 

Senator Lieberman. Your answer leads me to just ask one last 
question: You have talked about the prominent role of what you 
nave described as social engineering, which is to manipulate unwit¬ 
ting employees. I know it is hard to state a percentage on this, but 
would you ^ess that moat hacking is being done in that way-by 
the manipmation of the cultural weaknesses, the human weak¬ 
nesses? And to that extent, how much does hacking depend on sue- 



16 


cessfiil human penetration of a system as opposed to technological 
penetration of a system without any assistance from anybody in* 
side, with the assistance from inside coming either knowledgeably, 
that is, by somebody who has been placed m there, or just unwit* 
tingly by a negligent employee? 

Mr. MITNICK. In my experience, most of my hacking involved the 
social en^eering exploitations, but I think that most of the hack* 
ing out mere is really the wealmesses that are exploited in the op* 
erating systems and the software applications, because if you go on 
the Internet, ^ou can simply connect to computer sites mat oasi* 
cally have scripts of the exploit scripts, so anvbody that has access 
to a computer and modem could download these exploits and ex* 
ploit these vulnerabilities that are in the operating systems devel* 
oped by the software manufacturers. 

That is why I brought out the point that I think it is important 
for the software manufacturers to be committed to thoroughly test* 
ing their software to avoid these security flaws from being released 
to the marketplace. 

Senator Lieberman. It is a very important point. 

Mr. Mitnick. And maybe government and private industry, if 
these companies are not committed to it, is maybe going with an* 
other company. 

Senator Lieberman. Thanks, Mr. Mitnick. You have been very 
helpful. I think you have turned your unfortunate experience in the 
past into some very constructive support this morning. Thank you. 

Mr. Mitnick. Thank you for having me. 

Chairman Thompson. How much time did you actually serve? 

Mr. Mitnick. Fifty-nine months and 7 days. 

Senator Lieberman. Five years. 

Chairman Thompson. Fiflfy-nine months? 

Mr. Mitnick. I do not know how many minutes or hours. 

Chairman THOMPSON. Well, you know if instead you had raised 
millions of dollars for political campaigns, you would have gotten 
probation. [Laughter.] 

Senator Collins. 

OPENING STATEMENT OF SENATOR COLLINS 

Senator Collins. How can I follow that, Mr. Chairman? 

Chairman Thompson. You had better choose your excitement 
more carefully in the future. 

Mr. Mitnick. I think that is a good idea. 

Senator COLLINS. Mr. Chairman, I want to first commend you 
and Senator Lieberman for holding this hearing to highlight the 
pervasive vulnerability of our private sector and government com¬ 
puter systems. 

Mr. Mitnick, I was struck by your emphasis, as was Senator 
Lieberman, on the human element involved, because I think we 
o^n think of computer security in terms of technological safe¬ 
guards or the physical security of the computers in restricting ac¬ 
cess. Yet your e^^rience as well as the recent revelations about 
the former CIA Directors carelessness with his home computer 
suggest that we may be overlooking what is the most important 
factor, which is the human element. 



17 


In general, do you think there is a lack of awareness of the risks 
of the human element, both in the private sector and in the public 
sector? I am particularly thinking of at the higher levels of corpora¬ 
tions and government agencies. 1 think training tends to occur at 
the lower levels, and yet the risk may be just as high at the higher 
levels. Could you comment on that? 

Mr. Mitnick. I think the greater risk is at the lower levels. I do 
want to make a point. When you order a pizza, how they verify 
that you are the one that ordered it is by calling you on the tele¬ 
phone to verify that that is you. Well, you have got to really look 
at the big picture, and because there is a false reliance placed on 
telecommunications systems, such as the public telephone network, 
which is easily exploitable. 

So, for instance, if I were to call you at your—what I did is offer 
to do a demonstration today if the government would give me im¬ 
munity, but there was not any time. But anyway, what somebody 
could actually do is if they have access to the telephone switch, 
they could actually manipulate it so you can call back a legitimate 
number that you think you are calling to verify the authenticity of 
the request, but that number has been rerouted to the attacker. So 
because of the reliance on faxes, on voice mail, on telephones in 
general to verify the legitimacy, and that is easily exploitable, that 
IS what makes ft so easy to exploit the human element. 

Senator Collins. How easy is it for a computer hacker to use 
work done by others—I am told it is called an attack script—-in 
order to hack into a computer? Would such a person even have to 
really understand how the computer code was written in an attack 
script in order to use it to hack into a system? 

Mr. Mitnick. Not really. If there is a shell script or a script is 
written where they just run it and it ^ves them the super-user 
privileges or system administrator privileges, they really do not 
nave to know how it is working, and what is unfortunate, you have 
a lot of people out there that have access to those scripts that real¬ 
ly do not know what they are doing, so if they get into a computer 
and obtain system administrator-level privileges, they could easily 
destroy information or damage the computer by trial and error and 
without realizing what they are doing because they do not have the 
knowledge or the experience on that particular type of computer 
system. So it is concerning. 

Senator Collins. Another issue that you raised earlier was that 
when the Internet was in the early stages of development, the em¬ 
phasis was on sharing information, accessibility, openness, free ex¬ 
change of ideas. The emphasis was not on security and that has 
made us vulnerable in some ways. 

Do you think that is also a problem with the growth of e-com¬ 
merce, that there has been insufficient attention given to security, 
that the emphasis has been on accessibility, ease of use, making it 
easy for people to make purchases? Do you think the private sector 
has been a little bit slow in turning its attention and investing in 
the security of its systems? 

Mr. Mitnick. Well, unfortunately, because I was unavailable for 
the last 5 years and e-commerce just started after I was sent away, 
I was not really able to keep up with it. But today, everybody is 
reluctant to use their cre{lit card over the Internet because tiiey 



18 


think somebody is goinff to get their credit card number and de¬ 
fraud them. I think that there is a loss of confidence in using the 
Internet, especially with doing financial transactions, because 
mostly you near about these media reports of these people being 
able to circumvent security so easily. 

What is interesting is people will go into a restaurant and will 
hand their credit card number to a waiter or waitress and they 
have no problem with that, but they are afraid to type their num¬ 
ber onto the Internet because they figure it could be captured, 
which is a possibility, but I think what is interesting is I think 
there is limited liabili^ if someone were to obtain your card and “ 

use it without permission. There is maybe a $50 to $100 liability. 

Maybe security systems have to be created that would raise the 
level of confidence that the public has in using the Internet for e- 
commerce. • 

Senator Collins. Thank you, Mr. Mitnick. I just want to wish 
you well as you go on with your life. You clearly have a great deal 
of talent and intelligence, and it seems-to me, as we have been dis¬ 
cussing, that you paid a pretty heavy price for your crime and I 
wish you well. 

Mr. Mitnick. Thank you ve^ much. 

[The prepared statement of Senator Collins follows:] 

PREPARED STATEMENT OP SENATOR COLLINS 

Mr. Chairman, I apnreciata the work you and Senator Lieberman have done on 
the important topic of the security of the computer system of the Federal Govern* 
ment. 

The Internet offers unprecedented openness and accessibility. Those same at* 
tributes make it vulnerable to attacks by unauthorized users. The pervasive vulner* 
ability of our computer systems raises the specter of malicious attacks by terrorists 
rather Uian simply the relatively benign intrusions of teenagers. 

As one ejcpert in computer security recently stated, The Net changes the nature 
of crime. You don’t need skills to be an attacker. If you are going to make counter¬ 
feit bills or burglarize a building, you need certain abiliUes. On the Net, you 
download an attack script and click here.” 

The sophistication of computers has been matched by the opportunity for mali¬ 
cious activity based on information obtained through the Internet. In my view, this 
creates an increased ability for a greater number of people to threaten government 
computers. 

We have an excellent group of individuals on the panels today who can share 
their view of what the government can do to better protect its computer system. I 
look forward to their testimony. 

Chairman Thompson. Thank you very much. Senator Edwards. 

OPENING STATEMENT OF SENATOR EDWARDS 

Senator Edwards. Thank you, Mr. Chairman. 

Good morning, Mr. Mitnick. 

Mr. Mitnick. Good morning. • 

Senator Edwards. I am from North Carolina and actually live in 
Raleigh and I remember vividly- 

Mr. Mitnick. I have been there. [Laughter.] 

Senator Edwards. You were big news for a long time in Raleigh. 

I remember it very well. Let me ask you about a couple of tilings. 

In answering one of Senator Lieberman’s questions about why you 
got involved in hacking to begin with, I was listening to the woi^ 
you were using and they sounded very much to me like a descrip¬ 
tion of addictive behavior. Do you believe that addictive behavior 



19 

is involved with folks who are habitually involved in hacking like 
you were? 

Mr. Mitnick. I am not sure I would consider it addictive behav¬ 
ior. It was just an activity I was intensely interested and focused 
on, because ever since I was a young boy, I was interested in tele¬ 
communications and computers and that was just my calling, just 
like somebodjf is very interested in sports and every day they go 
out and pracnce. I am not sure that you can i eally equate it to like 
a physical addiction. But then again, I am not a health services 
professional, so I would not know. 

Senator Edwards. No, I understand. But did you feel like you 
yourself were addicted to this hacking behavior? 

Mr. Mitnick. I enjoyed it. I would say it wat^ a distinct pre¬ 
occupation, but I do not think I could label it as an addiction, per 
' se. 

Senator Edwards. Did you ever ti^ to stop? 

Mr. Mitnick. I did stop for a while, and then at that time that 
I was not engamng in tnat behavior, the Department of Justice, 
specifically the FBI, sent this informant to target me, and basi¬ 
cally, I got hooked back into computer hacking because of the en¬ 
ticements that this fellow that they sent to target me, enticed me 
back into that arena. 

Senator Edwards. What advice would you give to other hackers, 
or probably more importantly, potential hackers? 

Mr. Mitnick. That is hard to say. I would have to really think 
about that. I do not encourage any activity which maliciously de¬ 
stroys, alters, or damages computer information. Breaking into 
computer systems is wrong. Nowadays, which was not possible for 
me when I was younger, computer systems are now more afford¬ 
able and if somebody wants to hack, they can buy their own com¬ 
puter system and hack the operating system and learn the 
vulnerabilities on their own system without affecting anybody else 
with the potential for causing any type of hairo. 

So what I would suggest is if people are interested in the hacking 
aspect of computers, they can do it with their own systems and not 
intrude upon and violate other personal or corporations’ privacy, or 
government. 

Senator Edwards. Do you think it is possible to use things like 
click stream data to identify people who are least potentially going 

* to- 

Mr. Mitnick. Excuse me, to use what? 

Senator Edwards. Click stream data. Do you know what that is? 

Mr. Mitnick. No. 

• Senator Edwards. OK. Do you think there is some way to iden¬ 
tify people who are likely to become engaged in hacking just based 
upon their patterns of behavior in using their computer systems? 

Mr. Mitnick. I do not know. 

Senator Edwards. You said in your testimony, and maybe some¬ 
one has asked you this and I did not hear it, that in 20 years of 
experience in circumventing information security measures, you 
have been able to successfully compromise all systems save one. 

Mr. Mitnick. That is true. 

Senator Edwards. Which one? 



20 


Mr. Mitnick. It was a computer system run by an individual and 
this computer was at his home and it was in the U.K, in England, 
and I w^ unable to drciimvent the security on that system be¬ 
cause I did not have control of BT, which was British Telecom. 

Senator Edwards. So there is nothing about the seciurity system 
itself that gives us a lesson on how we can make systems more se¬ 
cure? 

Mr. Mitnick. See, a real important point is the more people that 
have access to a computer system, the easier it is to penetrate be¬ 
cause—well, of course, for the social engineering exdoit, like in 
government or in large coroorations, it is very easy. But the less 
people that have access to the computer system, the less vulnerable 
it is. and in this particular instance, it was one person and it was 
his home machine, so it was extremely difficult and this person 
was veiy, very sharp on computer security issues. In fact, ttiis indi¬ 
vidual is the one that found security vulnerabilities in the VMS op¬ 
erating system which was manufactured by Digital Eouipment Cor¬ 
poration, and why I targeted this individual was to basically find 
and obtain all the security flaws that he discovered in the oper¬ 
ating system because my goal was obtaining information on all se¬ 
curity vulnerabilities so I would be effective at being able to com¬ 
promise any system that I chose to compromise. 

Senator Edwards. One last thing. In North Carolina, we have a 
company called Red Hat. 

Mr. MITNICK. Linux? 

Senator Edwards. Yes. They have been, as you know, very suc¬ 
cessful. I had a meeting a few weeks a^o with Bob Young, who is 
the founder of that company, and I was just curious whether you— 
and based on my discussions with him, I had some feeling that 
there was at least the potential for these open source software sys¬ 
tems to be more secure. Do you have any views about that? 

Mr. Mitnick. Yes. I think that is true, the reason being; is they 
are open for inspection by the public at large and in so doing, just 
like with systems that utilize encryption, I think those security 
flaws could be readily identified ana published and fixed rather 
than in a proprietary system where it is not open to the public and 
then you maybe have the individuals that find these holes do not 
report them and they use them to exploit vulnerabilities and access 
computer systems without anyone knowing the better, or without 
detection. 

Senator Edwards. Thank you very much. Good luck to you. 

Chairman THOMPSON. Thank you very much, Mr. Mitnick. You 
have been very, very helpful to us. Good luck to you. 

Mr. Mitnick. Thank you. 

Chairman Thompson. Thanks for being with us today. 

Mr. Mitnick. It is an honor to be here today. 

Chairman Thompson. I would like to introduce our second panel. 
Jack Brock, Director of Govemmentwide and Defense Information 
Systems at GAO, who is responsible for most of the work done by 
the GAO for this Committee over the last few years. Also on the 

S anel is Roberta Gross, the Inspector General for NASA, who has 
one much work in the area of computer security and eve;, hss a 
sp^al investigative unit on computer crimes, so thank you for 
being with us. 




21 


We alwa 3 « take more time with our first panel, whether it is one 
witness or 10. We are going to have tq bo out of here in .about an 
hour, so as far as we are concerned and the panels are concerned, 
let us keep that in mind and do what we can. 

Mr. Brock, do you have any opening comments to make? 

TESTIMONY OP JACK L. BROCK, JR„» DIRECTOR, GOVERN- 

MENTWIDE AND DEFENSE INFORMATION SYSTEMS, AC- 

COUNTING AND INFORMATION MANAGEMENT DIVISION, U.S. 

GENERAL ACCOUNTING OFFICE 

Mr. Brock. Yes. sir, I could actually spend my entire time read¬ 
ing you a list of the reports that we have done on computer secu¬ 
rity. many of these for your Committee. 

Chairman Thompson. Could you summarize all that? 

Mr. Brock. Absolutely. 

Chairman Thompson. Would you say there is a bunch? 

Mr. Brock. There are a lot. 

Chairman THOMPSON. All right. 

Mr. Brock. Unlike Mr. Mitnick, when we go into agencies, we 
are doing so with the full knowledge and authorization of the agen¬ 
cies we go in. A long time ago, when wo did comnuter security 
work, we examined agencies’ controls and we would comment on 
those controls and we would say the controls are inadequate and 
the agency would say, well, no, they are adequate, so we disagree 
with you. 

A few years a^o, we started doing our own testing of the controls. 
We do not call it hacking, we call it penetration testing. We have 
been uniformly successful in ^[etting into agencies. The reports that 
we have done for your Committee over the past few years at NASA, 
State, DOD, and the IRS, indicate that, typically, agencies have 
very poor controls. 

EPA, which we have iust released a report on a couple of weeks 
ago, we went in througn their firewall, which offered virtually no 
protection. We had access to their mainframe computer center, 
which had almost no controls set up, and we were able to wander 
around the agency almost at will. It was not really difficult. 

At another agency where the firewall offered better protection, 
we did what Mr. Mitnick was referriM to as social engineering. We 
simply call people and say, I am Joe Blow. I am the system admin¬ 
istrator. Here is my telephone number. Call me back. We are hav¬ 
ing a problem with your account. Give me your password, and you 
can call this number and check it. It is amazing how many people 
just call you right back and give you the password. 

If that does not work, you just gain access to the building and 
walk around and you find computers that are open. You find the 
computer monitors with the password in a sticky on it. It is not 
ve^ difficult to get access. 

So as we have gone to agency after agency after agency, the spe¬ 
cific weaknesses are usually technical, ^ere is a technical reason 
that we are getting in. The software has a hole in it. The firewall 
is not very good. It is not very rigorous. Password protection is 
weak, or whatever. 


'The prepared eUtement of Mr. Brock appears in the Appendix on page 55. 



22 


We, frankly, after doing many of these and we are doing the 
same report over and over, we paid, there has got to be a better 
way of aoin^ this, and at your request, we looked at agencies or 
at organizations that have good computer security, and there we 
found that good management attention to the problem is the secret. 

It is much like if you have a house and you have wood rot and peo¬ 
ple come in and they say, well, you have got a problem, and you 
patch it over with a little putty, you still have that underlying 
weakness. 

^ We found when we were going into agencies and pointing out 

s^dfic computer weaknesses, that these weaknesses would be cor- * 

rected. They would patch it. But the underlying causes, the poor 

management, the lack of management attention, the lack of budget, 

all of these things really did not fix the underlying problem. So it 

was like sticking your nnger in the dike. You would plug up one » 

hole and another hole would spring out somewhere else and things 

would leak through. That is the condition we find at agencies, and 

we find it consistently. 

One of the things that your bill does is it changes the direction 
of the computer security legislative framework. The Computer Se¬ 
curity Act is inherently flawed in that it is built on a system-by- 
system basis. It starts with the premise that computer security can 
Iw fixed at the system level when really it needs to start at the 
management level. I would like to briefly go over a few features in 
your Bill that we think are ve^ commendable and we would en¬ 
courage that if legislation is being considered, that these items be 
kept. 

FHrst of all, it incorporates the best practices that we found at 
leading organizations, in other words, those management practices 
that agencies or organizations undertook to, in fact, provide a se¬ 
cure framework throughout their organization. 

Second, your bill requires a risk-based approach to be imple¬ 
mented by agency pronam managers and tecimical specialists. Let 
me just talk about this a little bit. If you do not know what yo'ir 
risk is, and risk is a function of the vulnerability of the system, a 
function of the threat to the system and a function of the value of 
the information of the process that that system controls. If you do 
not understand your risk, you are not going to put in the right kind 
of controls, you are not going to have the nght kind of training, you 
are not going to have the nght kind of testing. Rarely do we find 
agencies that do a good job at determining the risk they face, and * 

again, without determining the risk, you are not going to know 
what sort of controls need to be put into place. 

Third, your bill provides for an independent audit and we think 
that is an absolute must. An independent audit gives 0MB, over- * 

sight committees, such as yourself, and agencies tnemselves an op¬ 
portunity to see how well do confrols work, how well do training 
policies work, how well are they doing as a management entity in 
terms of providing good computer security over our information re¬ 
sources. 

Finally, it also eliminates the distinction between national secu¬ 
rity and non-national security systems. Right now, there is a divid¬ 
ing line. We have actually gone to some agencies and talked to 
them about computer security and they say, we do not have any 



23 


cl^sified information. Therefore, computer security is not an issue 
with us. And by having that distinction between national security 
and non-national secunty, we think that in many agencies, it cre¬ 
ates a barrier to having an effective agency-wide security program. 

If I could just indulge you for a moment more, we wouW like to 
talk about a couple or features that we think you should consider, 
^e first of those, and you alluded to this in your opening remarks, 
is that we believe there should be mandatory standards put into 
place and that these standards should be in two parts. 'Die first 
part would bo a standard set of data classifications which would be 
► used by all agencies, for example, risk levels ranging from one to 

whatever, and that data would be classified in one of these risk ele¬ 
ments, raging from things that you did not care that much about, 
information that was not particularly sensitive, was not particu- 
■ larly vulnerable, all the way to national security information. 

In turn, this would lead to a set of mandatory control require¬ 
ments that would set minimum requirements for each of these data 
classifications. We believe if this were instituted across the govern¬ 
ment, it would improve the ability of the government to enforce 
computer securitv, it would improve the ability of managers to pro¬ 
vide a minimal level of support for their agency, it would permit 
better targeting of resources, and it would improve the abuity of 
the independent auditors to do a good job. 

Finally, we think there is also a need for stronger central guid¬ 
ance. I tnink the lessons learned from Y2K is that a strong central 
hand, in this case, John Koskinen, really can provide much needed 
oversight and impetus to agencies in ’terms of making sure that 
they are following good practices, making sure that budget submis¬ 
sions are responsive, and in general, providing the leadership that 
seems to be lacking in computer security. 

That is my brief statement, and I would ask you, Mr. Chairman, 
that my full statement be included in the record. 

Chairman Thompson. All statements will be made a part of the 
record. Thank you very much. 

Chairman Thompson. Ms. Gross, thank you. 

TESTIMONY OF ROBERTA L. GROSS,i INSPECTOR GENERAL, 
NATIONAL AERONAUTICS AND SPACE ADMINISTRATION 

Ms. Gross. Good morning. Thank you very much for inviting me 
here to testifr on the act. I am here in a double capacity. I am here 
p as the NASA Iiwpector General. I also head a task force that is 

- -looking at this bill on behalf of the Inspector Generals, and so I will 

weave in some remarks that will reflect some of the community re¬ 
marks. 

o This is a world of limited budgets. We all know that. And in 

making decisions, agencies have to decide—Mr. Brock pointed that 
out—they have to figure out what is the risk to their systems. Ob¬ 
viously, in an agency like NASA, you are going to rive a different 
kind of security to the public website than you woula, for example, 
to protecting tne astronauts on the space shuttle. So you have to 
make these risk/benefits and that requirement is a key element of 
this act. 


^The prepared statement of Mb. Gross appears in the Appendix on page 71 . 



24 


But there is a complication to agendes making investments in IT 
security. I think if vou look at the Y2K issue, the problem of the 
change of the year for the computers, once it was a success, head¬ 
lines were, this was maybe a hype and we spent too much money. 

Well, if it was not a sunless, there would have been a diBerent set 
of headlines. So investment in IT security is very difficult fbr agen¬ 
cies to make, because if its security is working, you do not get 
headlines. But boy, when it does not work, you rat headlines. I 
think recent events about the hackers attacking different systems, 
it makes headlines. But agencies do not see the visibility of IT se¬ 
curity until it fails. ^ 

I would draw vour attention to the success of the Y2K coordi¬ 
nated efforts. I think it provides a model that is reflected in vour 
bill about how to approach IT security. It was at the highest level 
supported and eve^body plugged in. You had the President, 0MB, * 

agency heads, the CIOs, GAO, and the IGs, as well as the Confess 
in its exercise of oversij^ht, and the focus worked. We entered the 
new millennium with minimal Y2K problems. 

This act asks many of the same players to have the same sus¬ 
tained focus, and that is key, a sustained focus. It was easy for 
Y2K, because it started rolling around and everybody started really 
focusing on it. But computer security is an ongoing effort, and 1 
think it will be very helpful for this Committee and other commit¬ 
tees with oversight to keep that sustained focus. 

We (NASA OIG) support the placement of the focus of 0MB, the 
Deputy Director, having oversight. I think it gives a high level at¬ 
tention. Also the Deputy Director has a unique vantage point. The 
Deputy Director serves as the chair for the IG councils, the CFO, 
the chief financial officer councils the CIO councils, and also the 
president management councils (That is the very senior level ex¬ 
ecutives that head up the agencies). And so you have a person at 
a high level that is able to coordinate all these different councils 
for a government-wide focus and I think that was a good selection. 

You also make the heads of i^encies to be accountable. Heads of 
agencies occupy bully pulpits. They are able to set the priorities of 
their agencies. Use the Y2K example. I can remember Dan (3oldin 
saying, 'T am being held accountable and we are not going to fail.” 

He had the bully pulpit and everybody heard. So this is enlisting 
again the heads of agencies, and you need to hold the agency heads 
accountable because they can change a culture of “I do not care,” 
or “we are just scientists,” or “we just want information, how does * 

it impact me?” So that is a very important feature. 

In terms of the CIOs, we had a discussion with the IG working 
groups. Many in the working groups view these CIOs as not having 
resources, not having staff, not having budget. Some even charac- • 

terize their CIOs as paper tigers. So tms act gives a lot of responsi¬ 
bility to the CIOs and it is going to be important for 0MB and for 
this Committee and other committees to make sure that those 
CIOs have the authority and the resources to do what this act is 
expecting. 

1 would use the example of NASA. We have repeatedly made 
criticisms of the way that NASA establishes the CIO. He is doing 
the best he can, but he has no budget, or little budget, he has al¬ 
most no staff, and NA^ has decentralized the CIOs at each of the 



26 






* 


centers, and there are ten NASA centers. They (the center CIOs) 
do not report to him. He does not control their Budget. He does not 
do their evaluation. The centers can give the CIOs collateral duties 
or they can decide what grade level the CIO should bo: an SES, a 
16, or a 14. If they do not aCTee, who do th^ They report 

to the centers, not to the CK^ the head CIO. That decentrmization 
and fragmentation impedes IT security. 

To further compound that problem at NASA they have bifur¬ 
cated, not bifurcated, they have given each of the centers various 
tasks. In Glenn in Ohio, the Glenn Center does training. In Ames 
in California, that is the center of excellence for IT security. You 
go to Marshall and that is the center for the firewalls, and on and 
on. Each center is a little center of excellence and none of those 
people report to the CIO. He does speak with them. They do col¬ 
laborate. iTiey do have telecons. But is it any wonder that it takes 
a long time for NASA to get any policies and procedures? 

We have had reports pointing out instances where this decen¬ 
tralization and fragmentation, that whole kind of structure in and 
of itself weakens IT security, and we have more to say on that in 
my testimony, the written testimony. 

I want to get to the part of the act that has to do with the In¬ 
spector Generals. In terms of the OIG workin|f CToup, we did have 
a problem with the act narrowly defining the independent external 
auditor. Under the act, if the IGs do not do the work, an external 
auditor can be hired, but we thought that that implies a financial 
orientation and it should be any qualified external entity, and that 
is mst a wording change. 

But one of the things that the OIG working CToup commented on 
was they welcomed the act’s tasking. They think you cannot be 
doing the high-risk work that agencies are facing without doing the 
review work, but the IGs will have to recruit, train, and retain a 
good cadre of professionals. That is going to require the support of 
the agencies and 0MB and the Congress in supporting their budg¬ 
ets. 

In my written testimony, I went through how for the past 4 years 
I have been recruiting a cadre of people in the audit arena and in 
the criminal investigative arena, as well as my inspectors, and that 
has taken time and these are a high-paid, qualifiea group. They are 
worth it. They are definitely worth it. But it does take time and 
it does take money and this ^oup (Congress) has got to be sup¬ 
porting the budget that goes with that. 

The last detail that I want to address is the section that talks 
about law enforcement authorities. The act requires that security 
incidents be reported to law enforcement officials, but it does not 
define that term. Where an OIG has a computer crimes division, 
then the agency system administrators need to report security inci¬ 
dents to and work closely with the IG special agents so that the 
agency ends up preserving evidence, maintaining chain of custody, 
and that you have the documents that you need and the materials 
that you need so that you can have a court case. 

The Department of Justice has madel clear in writings ^d in its 
actions that it is not just the FBI that does the criminal investiga¬ 
tions on computer intrusions, and in nw written testimony, I have 
a letter, referred to a letter by Scott Chamey, who was then the 




26 


funner head of the Department of Justice Computer Crimes and In¬ 
tellectual Property Division, where he talks about other agencies 
that do and have the authority for computer crimes—Secret Serv¬ 
ice, Air Force audit and their investigative service, as well as 
NASA’s Inspector General. But I think that is very important for 
this oversight Committee to understand that. 

Obviously, the Presidential Directive, PDD-63, established the 
NIPC, the National Infrastructure Protection Center, so that you 
can have the critical infrastructure reviews and investigations done 
by the FBI. But there are thousands of intrusions each year and 
eveiy intrusion is not against the critical infrastructure. Indeed, at 
NASA, space does not even make the critical infrastructure. It is 
very important, then, that NASA have a good Inspector General’s 
computer crimes unit, to have a group that has a focus on NASA 
as tne victim. 

It is important that this Confess support the efforts of Inspector 
Generals to have a computer crimes unit. It takes training. It takes 
training people. You have to have a very qualified cadre of people. 
But if you recall, the Inspector General Act was to have the syner¬ 
gism of audits and investigations so that if you are doing an inves¬ 
tigation and you see internal control problems, you also tell your 
auditor so that they can do a system-wide look-see. That synergism 
is very important and it is very important that the Inspector Gen¬ 
eral communities have computer crimes units so that the IGs can 
make sure that they protect the victim agencies. 

In sum, I think you have the framework for a very good act. It 
has an oversight capacity, which I think is very important, and it 
also enlists the players that need to be there—0MB, heads of agen¬ 
cies, and CIOs. Thank you very much. 

Chairman Thompson. 'Thank you very much. You were invited to 
come because of the innovative approaches that you have at NASA, 
and you remind us how important the IGs are in this whole proc¬ 
ess, so thank you very much for what you are doing and your nelp- 
ftil testimony. 

Mr. Brock, let me address a few questions to you. The thing that 
jumps out at me first when I start to look at this, in February 

1997, the GAO had a series of reports to Congress and things were 
so bad that this security problem was put on the h^h-risk list at 
that time. Late in that same year, 1997, the CIO Council, which 
is, of course, under the 0MB, delineated it as a top priority. On 
March 31, 1998, the GAO filed another report on the consolidated 
financial statements and that report pointed out widespread defi¬ 
ciencies in terms of information security. Tlien again in September 

1998, of course, we have this report entitled, “Serious Weaknesses 
Place Critical Federal Operations and Assets at Risk.” I do not 
know how much more pointed you could be than that. 

It is really outrageous that the Federal Government in an area 
of this sensiti\dty-cannot do more faster. Since at least 1997, it has 
been 3 years since we have known—at least—since we have known 
about the seriousness of this problem. We get report after report 
ai^r report. If I were you guys, I would wonder why you are even 
in business and whether or not we pay any attention to you or not. 
'Ihis last report still points out serious deficiencies, still do not 
have any management in the 83 rstem, and we are still extremely 



27 

vulnerable, and it makes you wonder what in the world it takes to 
get anybody’s attention. 

I look back at the current law and wonder, what are we doing 
to help the process? Are we overlaying an already complex process? 

J. see we have given 0MB responsimlities before. We have ^ven 
agencies responsibilities before. Are wo just telling them agmn to 
do it and we really mean it this time, or what are we really doing? 

I am playing devil’s advocate with our own bill here, I guess, but 
are we really doing something hero that is different from all of 
these other acts, the Computer Security Act, the Clin^er-Cohen 
Act, Paperwork Induction Act, on and on and on, the Privacy Act. 

I mean, you have a dozen pieces of legislation tnat in some way 
deal with this overall problem, so our solution is another piece of 
lemslation. I am very skeptical, generally, of that problem. 

Now, I do not want to waste my time or yours on this unless we 
are really doing something that, for the first time, can have some 
accountability. Until people are held accountable, until somebody is 
fired or somebody loses some money or somebody is embarrassed 
more than we have been able to so far, nothing is going to change. 
It looks to me like we have a chance here maybe of having some 
accountability. With the Results Act and everjdhing, everybody is 
talking about measurements and measuring results and account¬ 
ability from those results. I do not know whether we mean it or not 
yet, but we are all talking about it now, and now we are bringing 
it to this problem, measurable outputs and things like that. 

First or all, is my assessment off base? If not, why has it taken 
so long to do anything and are we, in our bill, really doing anything 
that has a decent chance of makittg a difference? 

Mr. Brock. First, Mr. Chairman, as chairman of our oversight 
committee, I hope you were not really serious about wondering why 
we are in business. [Laughter.) 

Chairman THOMPSON. Well, I would have to ask the same thing 
about ourselves, would I not? 

Mr. Brock. I agree with your basic premise. It is a shame that 
you have to have a bill to mandate good management. I mean, 
clearly, it is not a crime now to have good management in agencies 
that said, we are going to do things the right way. But clearly, the 
reports that we have done for your Committee over the past few 
years have indicated agencies are not doing the things the right 
way, that something is broken, and that attention needs to bo paid 
to this. 

I think the features you have in the bill, that many of these fea¬ 
tures are the kinds of things that are designed to pick things up 
by the nape of the neck and shake and grab attention. The inde¬ 
pendent assessments every year are a mechanism where you can 
identify weaknesses, where you can identify where accountability 
should lie and where it has not been exercised and where it gives 
the administration, as well as the Congress, an opportunity to take 
corrective action, and that is the next step. Pointing out the weak¬ 
nesses, pointing out the management deficiencies is one thing, and 
then talung the next step to exercise that accountability is some¬ 
thing that would still remain to be done. 

Chairman Thompson. I take it that you feel that we need to be 
more specific in establishing standards. 



28 


Mr. Brock. Yes, sir. 

Chairman Thompson. Than the bill as currently drafted? 

Mr. Brock. Yes. 

Chairman Thompson. And we need to delineate what with re- 

g ard to risk levels, a r^uirement that they be considered or we tell 
^em how to consider it, or how specific snould we get on ^e man* 
datory requirements in determining risk level and mso how specific 
in the mandatory minimum requirements, I guess you might say, 
in addressing those levels? Obviously, we cannot dew with all that 
here today, but- 

Mr. Brock. Your bill starts off in the right direction on that by 
requiring agencies to do a risk'based assessment. But once they do 
the assessment, they need to be able to cat^orize ^at. We have 
this level of risk, or we have this risk level, w^at category should 
that ^ in? How risky is it? 

Chairman Thompson. That is really kind of management 101, is 
it not? 

Mr. Brock. Basically. 

Chairman Thompson. I guess they do need to be told to do that. 
Mr. Brock. Basically, but if you had it consistent across the 
agencies, it would be much easier to have guidance that could be 
more easily developed and more easily taught and trained. But 
then the next step, if you are at a certain risk level, what are the 
minimum things you should do in terms of authentication, in terms 
of encryption, or in terms of independent testing to make sure that 
you are meeting those levels of control? 

Chairman Thompson. So it would be a mistake to let each indi¬ 
vidual agency determine what it needed to do to address these be¬ 
cause they have not shown any indication that they have the capa¬ 
bility or the motivation to do that, is that correct? 

Mr. Brock. Yes. I think it is- 

Chairman Thompson. You said it would be much easier to have 
minimum good standards that would apply to any agency. 

Mr. Brock. Right. I think it is appropriate for ea^ agency to de¬ 
termine its risk that it faces, but then if you had the common 
standards. I think just the very process of developing those com¬ 
mon standards would really create a rich dialogue and go a long 
ways towards improving a shared understanding among agencies 
about what some of the good features of computer secunty should 
be. 

Chairm^ Thompson. And third, you mentioned some stronger 
central guidance. Obviously, 0MB has not been doing its job. They 
have responsibility here. Now their mcyor objection to your report, 
I understancL was that you are focusing too much on our responsi¬ 
bility at 0MB and they either do not tmnk they have that or want 
it. 'mey are pointing to the agencies, and the agencies, I am sure, 
are pointing to somebody else. So here we go ivith 0MB again, 
which causes some people to say we need a new information secu¬ 
rity czar, because mayTO 0MB inherently, if the allocation of their 
resources and what is going on over there, maybe they are not the 
right ones to be bird-dogging this. They sure have not done a good 
job of it so far. 

What are we doing that is going to improve that situation? I un¬ 
derstand that we cannot even tell where the money that we appro- 



29 


priate is supjposed to go for, maybe it is not line item, but it is sup¬ 
posed to go for seoiritv enhancement. You cannot even find it. We 
do not know how it is being spent, in terms of information security, 
is that true? 

Mr. Brock. That is correct. We have trouble determining how 
much monw is spent vdthin each agency on computer securiW. I 
think Ms. Uross in her statement, wnen she talked about the simi¬ 
larities between the Y2K problem and how top managers within 
each agency felt accountable, and I think one of the reasons they 
felt accountable was really the strong role that ^e central man¬ 
ager, in this case, Mr. Kosldnen, made in making sure they under¬ 
stood they were being held accountable. 

We do not have that situation on computer security. I think it 
should be closely examined as to whether there should be a com¬ 
puter security czar, though, and separate that fi*om a CIO that 
would have responsibilities for other aspects for information man¬ 
agement. We have rarely gone to a good organization that had good 
computer security, and we found out when we go there ttiat they 
also have other good information management practices. It is pad; 
and parcel. We have never gone to a place that had poor informa¬ 
tion management, where they had poor lifecycle management, poor 
systems development efforts, poor software acquisition processes 
and had good computer security. It all runs together. 

Therefore^ I would be reluctant to suggest that jrou separate com¬ 
puter secunty from the other aspects of information management. 
Next year, the OIRA reauthorization will be coming up and wu 
will have an oppodunity at that time, as well, to examine the Pa¬ 
perwork Reduction Act, the Clinwr-Cohen Act, as well, and I think 
these are good questions to also bring up at that time. 

Chairman Thompson. We are looking forward to that, but we are 
not vesting responsibility there in this bill. We are bringing it to 
a little higher level than that, but thank you very much. 

Senator Ldeberman. 

Senator LlEBBRMAN. Thanks, Mr. Chairman. Thanks to both of 
you. I think your testimony, both written and here today, has been 
really very direct and vety helpful and you are both obviously quite 
knowledgeable. The Chairman has covered some of the areas I had 
an interest in, so I will be fairly brief. 

I take it that you agree not only with what Mr. Mitnick said, but 
what I have learned generally in my reading here, that a lot of the 
problems of computer security are cultural, which is to say human, 
correct? 

Mr. Brock. Yes. 

Senator Lieberman. Beyond management, which obviously is 
critical and at the head of this, let me just ask you to speak a Uttle 
bit more about the question of whether there should be con¬ 
sequences if a Federal employee fails to folldw proper procedures 
relating to computer security. Or, on the other end, whether there 
ought to be consequences for exemplary behavior with regard to 
conmuter security. 

Mr. Brock. Yes, I would agree with that. The problem we have, 
though, and some Federal agencies are going to, that accountability 
is always at the technical level. Well, we have had a break-in, we 
have had a failure, it must be the guys in the computer room’s 


63-639 00 - 2 



30 


fault or we would not have had this. And for specific weaknesses, 
that might well be true, but the accountability typically does not 
extend upwards into management, where an atmosphere has been 
created or budget resources have not been appropriated or what¬ 
ever and those individuals also need to assume tneir share of the 
accountabili^. 

In the private sector, we found vei^ definite links and control 
mechanisms for measuring accountabiuty, for measuring perform¬ 
ance against that accountabilitv and holding individums respon¬ 
sible, Noether they be system administrators or the system process 
owners. 

Senator Lieberman. How are they held responsible in the private 
sector? 

Mr. Brock. In one ^ood example we have, managers have to de¬ 
fine the risk. Along with the technical people, they anee upon the 
vulnerabilities and the threats. They then have to allocate money 
and resources to providing an appropriate level of protection and 
they sign off on that. At the end of the year, the independent audit 
comes in and, first of all, determines did you, in fact, appropriately 
determine the risk and are you appropriately protecting these to 
the level you agreed upon. 

In some cases, we found good examples where they made a busi¬ 
ness decision not to provide a level of protection, but it was a busi¬ 
ness decision and it was examined and agreed upon by the board. 
And in some cases, I believe that people were fired when they 
failed to meet the terms of their contract. 

Senator Lieberman. Ms. Gross, do you want to add anything 
about individual accountability here? 

Ms. Gross. Yes. I think what you have to do is first implement 
a training program- 

Senator Lieberman. Right. 

Ms. Gross [continuing!. Because this is very much a cultural 
thing. I mean, NASA, you go to, for example, the Goddard Space 
Center and its scientists, its engineers, they are collegial. T^ey are 
talking with universities and they are interested in their earth 
science programs and they do not think about security. It is not 
until, for example, you will tell a scientist who is collecting data 
and working on a journal article, if somebody takes your informa¬ 
tion tiirougn the computer and publishes that information a year 
ahead of you or 6 months ahead of you, do you care? Oh, they all 
of a sudden—it comes home that it actually does impact them. 

Senator Lieberman. Sure. 

Ms. Gross. And I think the GAO audit on NASA pointed out 
they did not have a treuning program. They still do not. They are 
still getting it together and trying to work out what should be the 
appropriate training program, partially because they did not have 
IT security standards, so how can you develop your training pro¬ 
gram. But meanwhile, you have to have systems administrators 
Gained. They expect to have it in 2001. You cannot wait until 
2001. You have got to have systems administrators held account¬ 
able in some ways. 

So the issue on accountability is a lot more complex than just 
saying, you have got to be accountable and we are going to take 
action. On the other hand, on very simple, no-cost, low-cost things 



31 


that the agency can dOj they should be held accountable. They are 
supposed to banner theu* systems, both for law enforcement and for 
downstream liability, it is supposed to say, this is a government 
computer, you are accessing a government computer, so the hacker 
knows he is trespassing. He cannot say, oh. I was just surfing. I 
was looking for America On-Line and look what I got, I got NASA. 

So bannering is simple, but it does not happen. In that case, if 
a system administrator is not going to banner the computer, we 
just take away the computer. Iney cannot do their science. That 
you can hold mr simple, no-cost, low-cost, which we have identified 
and we can continue to identify. You can hold them accountable be¬ 
cause it makes the agency safer right away. 

On the other hand for some of the migor accountabilities, you 
have to have risk assessments and you also have to then make 
sure that your systems administrators, and that is not insimificant 
numbers, are trained, and let me explain why I am saying it is not 
an insignificant nurnror. 

For example, the Goddard Space Center, they said, how many of 
you think that you are system administrators, in other words, you 
have basically root access and have super controls of the computer. 
Nine hundred people need a basic training and an advanced train¬ 
ing so that they can be systems administrators, and in many of 
those cases it is a collateral duty. They are not security specialists, 
they are scientists, but they have a very powerful computer system 
that networks with other systems, so they need training. 

So I am trying to put it in a context, because you can say, OK, 
we are going to nold people accountable and we should have very 
powerful consequences. I think that, definitely, agencies can start 
immediately, no cost, low cost. There is no reason why agencies 
cannot be bannering their computers. That is nothing new. 

Senator LiEBERMAN. Right. 

Ms. Gross. 'Fhere is no reason why people cannot be using pass¬ 
words that are a little more difficult than the dictionary. I mean, 
the security office ^ves instructions on how to have better pass¬ 
words. All those tmngs, you can start holding people accountable 
for, and I think what you end up having to have is your CIO mak¬ 
ing a range of things that we expect tomorrow or next week, and 
these are the other things we are going to phase in, but it takes 
attention, and again, you start with the buUy pulpit of the head of 
the agencgr. You (Congress) all have the bully pulpit also, and that 
is important, but the agency does, too. 

Senator LiEBERMAN. Right. I think the intention of the bill— 
though it does more than this—is to raise up computer security as 
a priority consideration of Federal agencies and of individual Fed¬ 
eral employees who have responsibility.- 

Let me ask a last question of you, Mr. Brock. I am sure you know 
that the President proposed a F^eral Intrusion Detection Net¬ 
work, FIDNet, to monitor patterns of intrusions in the Federal sys¬ 
tems, which is supposed to be housed at C^A’s Federal Computer 
Incident Response Capability office. 

Mr. Brock. Yes. 

Senator Lieberman. In your testimony, you mentioned the need 
to improve the government’s abili^ to respond to attacks on com¬ 
puter 83 r 8 tems. So my question is, just to build a bit on whether we 



32 


need a stronger Central Incident Response Center, whether the 
President’s idea and location is the right one. 

Mr. Brock. Well, those all go together. 

Senator Libberman. Right. 

Mr. Brock. We do believe that incident response is important 
and that intrusion detection is important. A specific criticism we 
had of the President’s plan was the fact that it focused so much on 
intrusion detection, you began to get tdie impression that that was 
the primary means they had of improving the government’s or the 
Federal Government’s computer security pronam. 

Senator Libberman. You mean as opposed to all the other man¬ 
agement— 

Mr. Brock. As opposed to prevention, for example. 

Senator Libberman. Prevention, right. 

Mr. Brock. One agency that we have gone to at EPA, they did 
a pretty good iob of reporting and recording their intrusions. They 
did a very bad job of doing anything to prevent those intrusions or 
in analyzing those intrusions in order to take corrective action. 

So intrusion detection is important. It is important to share that 
information with other agencies so that you can learn firom it. So 
to that point, we strongly support sharing the information. We 
would strongly support some sort of incident response capability so 
that you could take action, but it needs to be part and parcel of 
on entire program and should not be the primary or the only focus 
of such a program. 

Senator Libberman. Thanks very much. 'Thank you both. That 
was very helpful. 

Chairman 'Thompson. 'Thank you very much. We could spend a 
lot of time with the both of you. You hpve been very helpful today 
and we will continue to work together on this. We appreciate your 
contribution to this and your fine work. 

Mr. Brock. Thank you. 

Ms. Gross. Before I go, I would like to just incorporate into the 
record my foil written testimony. 

Chairman THOMPSON. Absolutely. All statements will be made a 
part of the record. 

Ms. Gross. And both Senators, I would like to leave for you all, 
we have done a “Clearing Information Prom Your Computers Hard 
Drive’’ pamphlet. Mr. Mitnick was saying how easy it is at the low¬ 
est levels to end up having intrusions. 'This is when you excess 
your computer and you get a nice new super computer and you 
think you have deleted aU your files and what happens is a lot of 
your information that you think is very sensitive is going out to 
schools, to prisons, etc. We have some on the desk and I certainly 
draw tms to wur attention. Thank you. 

Chairman TOOMPSON. Thank you very much. 

On our third panel, we are fortunate to have Ken Watson, Man¬ 
ager of Critical Infrastructure Protection at Cisco Systems, Inc., 
and James Adams, who is the CEO and co-founder of iDEFENSE. 
BoUi of these gentlemen are known in the industry as experts on 
the issues related to information protection and security. 

Gentlemen, thank you very much for being with us here today. 
Miv Watson, do you have an opening statement to make? 




33 


TESTIMONY OF KENNETH WATSON,' MANAGER, CRITICAL 
INFRASTRUCTURE PROTECTION, CISCO SYSTEMS, INC. 

Mr. Watson. Thank you. Chairman Thompson, Ranking Member 
Lieberman, and distinguished Members who are here. I appreciate 
the opportunity to speak to you about network security best prac¬ 
tices. 

The last 8 years of my 23 years in the Marine Corps I spent 
helping to draft policy and doctrine for information warfare and 
taking joint teams and conducting information operations to into- 
pate those into other military operations. When I retired, 1 went 

* to work for WheelGroup-Corporation, where I managed our secu¬ 
rity consulting team. We would do legal contracted security posture 
assessments m corporate networks and provide them r^rts of 
their vulnerabilities. When Cisco acquired WheelGroup, i transi- 

« tioned to critical infrastructure protection and that is my role now 

at Cisco. 

That team just recently conducted a 6-month study of vulner¬ 
abilities in corporate networks and I'have put together the top 
three to five vulnerabilities that were discovered in every area as 
the last two pages of my written testimony and it is just a table 
of what are tne vulnerabilities and how do you fix them. It is im¬ 
portant to note that the way this team worlm, it does not use any¬ 
thing Like social engineering or other things that might cross the 
bounds into becoming illegcu activities. They concentrate on work¬ 
ing at the keyboard only and finding technical vulnerabilities and 
that is it. 

It is kind of interesting that they are continually successful in 
penetrating external defenses about 75 percent of the time, but 
once inside, they are about 100 percent successful in gaining unau¬ 
thorized access oetween machines inside a network, and that would 
be true for government or private sector networks. 

Cisco systems is serious about network security and about its im¬ 
plications for critical infrastructures on whicli this and other devel¬ 
oped nations depend. Few can argue that the Internet is chanmng 
every aspect of our lives. Internet economy is creating a level play¬ 
ing fiela for companies, countries, and individuals around the 
world. In the 2l8t Century, the big will no longer outperform the 
small. Rather, the fast will beat the slow. 

So how do you decide on a best practices solution? I would like 
to offer a simple way to organize network security technologies and 

* practices and talk a little bit about what Cisco has seen in cus¬ 
tomer networks. Our model is not reinventing the wheel, but it is 
what we call the seciurity wheel and it talks to five general areas 
where you can group tec^ologies and practices and it is a manage- 

* ment model. 

Good security must be based on policy. Employees must know 
what they can and cannot do with company systems or government 
S 3 rBtem 8 and that they will be held accountable by whoever is the 
boss, Uie CIO or whoever is accountable, and those people should 
be accoimtable, also. 

The ix)li(y must also be risk-based, so I am in concurrence with 
a lot of what you have already heard today. 


* The prepared ftAi«meiit of Mr. WatMO appeRrt in the Appendix on page 83. 




34 


After setting appropriate policies, a company or organization 
must methodically consider security as a part, an integrated part 
of normal networK operations. This could be as simple as coimg- 
uring routers to not accept unauthorized addresses or services, or 
as complex as installing nrewalls, intrusion detection systems, au¬ 
thentication, and enciypted virtual private networks. 

A basic tenet of mihtary combat engineers is that an unobserved 
obstacle will eventually be breached, and that is also true for net¬ 
works. Hackers will eventually fi^re a way around or through 
static defenses. The number and frequency of computer attacks is 
constantly on the rise. There are no vacation periods. As such a 
critical part of the security wheel is to monitor the network, intru¬ 
sion detection and other monitoring devices, so that you have 24 
by 7 visibility into what is going on inside and outside the network. 

The next stop is testing the network. Organizations that scan 
their networks regularly, updating electronic network maps, deter¬ 
mining what hosts and services are running, and cataloging 
vulnerabilities, and they should also bring in experts for inde¬ 
pendent network security posture audits once or twice a year to 
provide a more thorough assessment of vulnerability. 

It is just like cleaning your teeth. We brush our teeth every day. 
Those are like your internal own network scans. And you go to the 
dentist once or twice a year and get an independent outside obser¬ 
vation. It may be painful, but you get a lot of good out of it in the 
long run. 

l^nally, there needs to be a feedback loop in everj[ best practice. 
System administrators must be empowered to make improvements. 
Senior management has to be hela accountable for network secu¬ 
rity. Those involved in day-to-day operations must have their at¬ 
tention. 

If you were to ask me, what is the’ most important step to do 
right now, I would give you two answers, one for the short-term 
and one for the long-term. In the short-term, the best thing I think 
any company or organization can do is to conduct a security pos¬ 
ture assessment alon^ with a risk assessment to establish a base¬ 
line. Without measuring where you are, you cannot possibly figure 
out where you need to go. 

For the long term, the best thing we can do together is to close 
the alarming skills gap. The requirement for highly skilled security 
specialists is increasing faster than all the training programs com¬ 
bined can produce qualified candidates. Universities are having dif¬ 
ficulty attracting both professors and students. The government is 
also having a hard time retaining skilled security professionals. We 
in the private sector are building and maintaining state-of-the-art 
securit;/ training programs and we are collaborating with education 
institutions and training partners to provide a wioe base for deliv¬ 
ery. 

We are also helping the Office of Personnel Management to iden¬ 
tify knowledge sl^s, abilities, and ongoing training requirements 
and career man^ement and mentoring ideas for a Federal IT secu¬ 
rity workforce. Tms human resources issue is by far the most crit¬ 
ical information security problem we face in the long term and the 
solution must be based on government, industry, and academic col¬ 
laboration. 




35 


Corporate network perimeters are blurring. That is also true for 
the lines between government and industry, ^e Internet knows no 
boimdaries and we are all in this together. We are very enthusi* 
astic about the new Partnership for Critical Infrastructure Secu¬ 
rity, a voluntary organization of some 120 companies from across 
the country dedicate to improving the network security of our crit¬ 
ical infrastructures. 

As we fiirther build the relationship between the public and pri¬ 
vate sectors, we hope the great spirit of coojMration currently led 
by the Department of Commerce and the Critical Infrastructure 
Aissurance Office will continue. 

We believe that confidence in e-commerce is increasing. Thirty- 
eight new web pages are being added to the World Wide Web every 
swond. Our job, all of us, all of our job, is to raise the bar of secu¬ 
rity overall, worldwide, so that we can empower our citizens and 
customers to take full advantage of the Internet economy in the 
Internet century. 

Thank you very much. I will be glad to answer any questions. 

Chairman Thompson. Thank you very much. Mr. Adams. 

TESTIMONY OF JAMES ADAMS,^ CHIEF EXECUTIVE OFFICER, 
INFRASTRUCTURE DEFENSE, INC. 

Mr. Adams. Chairman Thompson, Ranking Member Licberman, 
thank you very much for including me on this distinguished panel. 

By way of brief background, my company, iDEFENSE, provides 
intelligence-driven presets—daily reports, consulting, and certifi¬ 
cation—that allow clients to mitigate or avoid computer network 
information and Internet asset attacks before they occur. As an ex¬ 
ample, iDEFENSE began warning its clients about the possibility 
of distributed denial of service attacks, the kind of hacker activity 
that is capturing headlines currently around the world, back in Oc¬ 
tober and November of last year. 

At the outset, I would like to commend you and your staff for 
crafting such thoughtful and badly needed legislation in the area 
of computer security for the Federm Government. We are currently 
in the midst of a revolution, the information revolution, which calls 
for dramatic and bold steps in the area of securing cyberspace. It 
is in this context that your bill takes a crucial step forward by 
shaking out the current culture of lethargy and inertia gripping the 
Federal Government. With a proposal to put teeth into the Ol^’s 
oversight of computer security issues, this bill is a solid step in the 
right Section. 

Why does this matter? Few revolutions are accomplished without 
bloodshed. Already, as^e plunge headlong and terribly ill-prepared 
into the knowledge age, we are beginning to receive the imtiai cas¬ 
ualty reports from the front line of the technology revolution and 
to witness firsthand the (^ber threats that, if allowed to fiilly ma¬ 
ture, could cause horrendous damage. 

The recent denial of service attacks were mere pinpricks on the 
body of e-commerce. Consider instead that some 30 countries have 
aggressive offensive information warfare programs and all of them 
have America firmly in their sights. Consider, too, that if you buy 


^The prepared etatement of Mr. Adama appeare in the Appendix on page 88. 



36 


a piece of hardware or software from several countries, among 
them some of our allies, there is real concern Uiat you will be buy¬ 
ing doctored equipment that will siphon copies of ^ material that 
passes across that hardware or software hack to the country of 
manufacture. 

The hacker today is not just the stereotypical computer geek 
with a grudp;e against the world. The hacker today is much more 
likelv to be m the employ of a government or big business or orga¬ 
nized crime, and the hackers of tomorrow will he all of that and 
the disenfranchised of the 21st Century who will resort to the vir¬ 
tual space to commit acts of terrorism far more effective than any- * 

thing we have seen in the 20th Century. 

The government, in all its stateliness, continues to move forward 
as if the revolution is not happening. Seven months ago. my com¬ 
pany won a mqjor contract with a government agency to aeliver ur- r 

gently needed intelligence. The money was allocated, the p£mer- 
work done. Yet, it remains mired in the bureaucratic hell from 
which apparently it cannot be extricated. [Laughter.] 

Another government agency is trying to revmutionize its procure¬ 
ment processes to keep up with the pace of the revolution. They are 
proudly talking about reducing procurement times down to under 
2 years. In other words, by the time new equipment is in place, the 
revolution has already moved on 8 Internet years. In my company, 
if I cannot have a revolutionary new system in place within 90 
da^, I do not want it. 

The Thompson-Lieberman legislation is a good first step to try 
and control and drive the process that will bring the government 
up to speed with this revolution. I believe, however, that to effec¬ 
tively cope with the technology revolution, this proposal must be 
strengthened. What is needed is an outside entity with real power 
to implement drastic change in the way government approaches 
technolo^ and the underlying security of its systems. Currently, 
jurisdictional wrangling, procurement problems, and a slew of 
other issues are seriously hampering the government’s ability to 
st^ current. 

The Thompson-Lieberman bill provides a framework to begin 
sorting through this mess. However, what is needed most is a per¬ 
son or an entity that will draw on sldll sets in many areas that will 
overlap that of the CIOs, CFOs, CSO, and most of the other officers 
or entities that currently exist. Let us give this person the title of 
Chief of Business Assurance, or perhaps the Office of Business As- 4 

surance, to relate it directly to the Federal Government. 

The OBA’s task would be to continuously gather and synthesize 
infrastructure-related trends and events, to intelligently evaluate 
the technological context within which the organization operates, to * 

identify and assess potential threats, and then to suggest defensive 
action, or viewed from the positive side, to tissess the technological 
revolution’s opportunities and propose effective offensive strategies. 

The OBA must be a totally independent organization with real 
teeth and real power. 

There is much in common between government and industry 
when it comes to the challenges and the opportunities that the 
teclmology revolution poses. Both sectors face a common threat. 

Both factors share common goals for tire well-being of America and 



37 


her people. Both employ technologies that are, in essence, identical, 
and Doth must work together to protect each other. 

I leave you with this thought. In the near term, you will see total 
transformations of the way husiness and government is conducted, 
internally and externally. A failure to change to meet these new 
challenges is to risk the destruction that all revolutions bring in 
their wake. Proactive action is the route to survival. 

We have heard a great deal in recent months about the potential 
of a digital divide developing between the computer haves and the 
computer have-nots. I believe there is another dimtal divide that is 
growing between the American Government and its citizens. If this 
Committee's efforts do not move forward in chanmng this culture 
of inertia, there is real danger that the digital mvide that exists 
between government and the private sector will only widen. We 
cannot afford a situation where the governed feel that their govern¬ 
ment is out of touch and increasin^y irrelevant to their lives. By 
stepping up to the plate and tackling computer security with an in¬ 
novative, bold approach, the Thompson-Lieberman bill significantlv 
boosts the chances of reversing the current bureaucratic approacn 
to a venr dynamic problem. 

Thank you again for the honor of appearing before you. 

Chairman Thompson. Thank you, Mr. Adams. Very well said. 

You heard me mention, I am sure, a while ago about all of the 
reports and assessments and so forth over the last 2 or 3 years 
pointing this out. Now, in addition to all of that, we have the rresi- 
dent’s nrst version of the National Plan for Information Systems 
Protection. The plan discusses the need to make the government a 
model for cyber protection. 

As I look at it, I see few concrete proposals as to how to do that. 
As you know, I am mindful of these overlays and these impressions 
that we try to leave sometimes that we are doing somethmg when 
we are really not. Where does this plan fit into the solution to what 
we are talking about here today? 

Mr. Adams. Well, I would just say a couple things about that. 
First, the plan was 7 months late. It is not a plan, it is an invita¬ 
tion to dimo^e, a very different thing. If you asked those who 
were involved in the formulation of the plan, they will tell you that 
it was a ‘lousiness as usual, government at work” nightmare. Every 
meeting, 100 people would turn up. They would talk about not 
what was good for the Nation but what was good for their existing 
equities. 

The result was a bureaucratic compromise, which is the docu¬ 
ment that you see, that raises some interesting points. But a plan 
will actually emerge, I would guess, a year irom now, longer. 
Meanwhile, we all march on. It requires, i think, more than that, 
and where the action will have to come from and the leadership 
will come from is exactly right here. It is not going to come from 
the Federal Government as we know it, because it is a revolution 
and governments do not become revolutionaries. They naturally 
evolve, which is a £[reat strength in a democracy. But in the middle 
of a revolution, it is actuallv a threat and a challenge to us that 
we need to st^ up to try and meet. 

Chairman 'moMPSON. So we are trying to do something very 
tough but very necessary, is what you are saying. 



38 


Mr. Adams. Absolutely, and the weat thing, I think, that you are 
doing ia saying, yes, this needs to be done. Trie very difficult thing 
for you, as you were rightly articulating earlier, is how to force 
what needs to be done to actually occur, because you say to the 
0MB, an inert bureaucracy in its own right, you have to force other 
organizations to change. True, but how exactly, and typically, it 
does not work like that. 

If you look at what the CIA is doing to try and embrace the revo¬ 
lution, they formed an outside organization, INCUTEL, that is 
driving technology revolution into the organization and pushing 
change from without to within, and to expect or ask organizations 
that are comfortable with business as usual to say, no, no, no, revo¬ 
lutionize, they will not do it. Imposition of change is the only way 
it will occur, and it will be resisted, but the consequence of not 
doing it can be very, serious, and you can already see how rel¬ 
evant does anybody in Silicon Valley think the government is—not 
at all. 

Mr. Watson. If I might add a comment- 

Chairman Thompson. Yes, go ahead. 

Mr. Watson. Mr. Chairman, the plan is not a complete plan yet, 
but at least- 

Chairman Thompson. We are relevant in terms of the harm we 
can do them and how we can mess things up. From a positive 
standpoint, it is a very good Question. Excuse me. Go ahead. 

Mr. Watson. But at least mere was enough foresight in the Crit¬ 
ical Infrastructure Assurance Office to at least get a plan started, 
and it is an invitation to a dialogue. They have asked industry to 
help complete this plan, add our perspective, bring in a physical di¬ 
mension, look at the inter.iational aspects that are not in the cur¬ 
rent plan. I look forward t7 working with the Partnership, the big 
“P” Partnership that we just launched, to help make that come to 
pass. 

Chairman Thompson. It has taken 3 years since this all has 
been on the high-risk list, and now, when we cannot even take a 
baby step, we are talking about flying an airplane, and inter¬ 
national and all these other high-sounding things which may even¬ 
tually come about when China becomes a mil democracy. 

Let me explore, you obviously feel like we have to have some 
kind of an outside entity. You refer to the OB A. Where does this 
individual fit into the process? What kind of entity are you talking 
about? Who is this person? How ia this person selected? Who are 
they accountable to? I take it it is not within 0MB, is what you 
have got in mind. Have you thought that through to that extent? 

Mr. Adams. I think 0MB has got a long and traditional role in 
oversight and it does that job and has done so for a long time. It 
would be possible '!o have something sitting outside of 0MB but 
working within the Federal Government structure but with a rath¬ 
er different mandale. 

If you look at the way industry sets up revolutionary change, it 
does so by—Steve Jobs and Apple is a'good example. Put them in 
a different building, you set them outside the culture, you put a pi¬ 
rate flag on the roof, they develop their own language and culture 
and they come ud with new and creative ideas. 



39 


What we aee at the moment is the traditional organization says 
we will go to the traditional places, the traditional consulting com* 
panics, 'niey are use to forming committees, punching button A. 
producing a report in 6 months. Everybody thinks about it and 
does not do anything. Meanwhile, the people who really are making 
this revolution occur are the very different organizations that are 
the dot-com companies, and there needs to be some mechanism for 
allowing them to have input into change. 

So I would envisage something where you. Congress, would man¬ 
date and budget a group that would have the ability and the au¬ 
thority to impose change. Now, there is a thought, to impose, and 
if you do not do it, you will be held accountable in a culture, re¬ 
member, where many of the things that government has tradition¬ 
ally thought of as its own self. 

To take Cisco, for example, they have 26,000 employees. They 
have three people in the whole organization doing ex^nse account¬ 
ing. Now, in the government, you have hundreds ana thousands or 
however many people doing the process that can be outsourced. So 
we need to think about this and how can we make government effi¬ 
cient, relevant, fast moving, changing, dynamic, and I do not be¬ 
lieve that it can be done imposing internal solutions. 

Processes and all of those things need to come from outside— 
technology, people, and processes, lliey will not be able to meet the 
technology Mcause they cannot procure it fast enough. They cannot 
hire the people because they cannot afford then^. We cannot, and 
we are paying much more money. And you will not have the proc¬ 
esses because you need to impose them in a constantly dynamic 
way. So those three things will have to come from outside, and the 
only place that can mandate it, I think, is Congress, which will en¬ 
force it, enforce a different structure a different way of thinking. 

Chairman THOMPSON. Thank you. Senator Lieberman. 

Senator LIEBERMAN. Thanks. Again, thanks to both of you. I 
think, Mr. Chairman, wo have had really excellent witnesses today. 

Mr. Mitnick ewlier made the allegation that part of the problem 
here, Uiough, as you know, he focused on the human management 
problem, is that mere is such competition, particularly among soft¬ 
ware manufacturers, to get the product out to the market quickly 
that they are not spending sufficient time to deal with potential se¬ 
curity flaws in that software. In fact, you have actually gone one 
step to the other side, really stunningly, or to me, fascinatingly, m 
saying that some foreign manufacturers may, in fact, be putting, I 
do not know whether you would call it a virus or something in the 
system that allows it to divert information back to them to be more 
easily hacked. 

Let me ask you to go at both parts of that. First, whether 
Mitnick has a point that manufacturers are not spending sufficient 
time dealing with systems to stop security problems before they put 
their products on the market. 

Mr. Adams. Well, we clearly know that that is correct. The rush 
to market, speed is of the essence. You clearly do not waste time. 
Tliey are able to get away with that partly because we are all rush¬ 
ing forward with the revolution and absorbing it as fast as we can, 
and partly because there is not any training, there is not any proc¬ 
ess, and people are not security aware. 



40 


If there was, as Jack Brock was talking about earlier, a' min¬ 
imum benchmark above which you have to be, then there would be¬ 
come a market-driven demand. I am not going to buy this software 
because it iust simply docs not meet my minimum standard, but 
I will buy this because it does. So there will be a market-driven en¬ 
forcer that would say, if you do not raise your standards to become 
more security aware, you are out of business. 

Senator LlEDERMAN. Yes. In other words, people who are doing 
it may advertise that as an attribute, for instance- 

Mr. Adams. Absolutely. 

Senator Lieberman [continuing). Market it, and then, hopefully, * 

you drive the market. 

Mr. Adams. My security is better than his security, so—— 

Senator Lieberman. So you should buy mine. 

Mr. Adams. Exactly right. ^ 

Senator Lieberman. Do you want to respond, Mr. Watson? 

Mr. Watson. Yes, sir. We do see market pressure to provide 
more secure products and that is why we do provide a whole range 
of them and everyone else is getting into that game, too. 

Senator Lieberman. Right. So that is. happening now? 

Mr. Watson. It is happening. No. 1, demand from the market is 
speeding quality of service. No. 2 is security,' and that may switch. 

We do not know. There is a great enabler that security brings to 
freedom of use of the Internet economy. 

Senator Lieberman. Say a little more about this other part of it, 
the other side, that some foreign manufacturers are putting in 
gaps, vulnerabilities in the system that they can then penetrate. Is 
that being done by them for private gain or is it being done by 
their governments or what is happening? 

Mr. Adams. If you look at the way, to take just 2, China and 
Prance, see the opportunity of the virtual space, they see this as 
no different from the terrestrial environment and there is a blur¬ 
ring, unlike in the United States, between the public and private 
sector. So what the Nation does, it does on behalf of the private 
sector. 

It was striking when I was in Moscow a couple of years ago talk¬ 
ing to their intelligence people and their sort of security folks in 
the prime ministers office. They were obsessed by what they felt 
were American attacks in the virtual space. So any equipment they 
bought from overseas, computer software, hardware, they felt had « 

bugs of one kind or another planted in it. 

Senator Lieberman. That U.S. manufacturers had put in it? 

Mr. Adams. Yes. Now, I have no idea whether that is true or not. 

What we do know is that other countries are veiy aggressively, in- * 

deed, contacting the United States, both with their impremated de¬ 
vices of one kind or another and attacking through the virtual 
space. The challenge that we have is that we still see the front line 
as a Nation as soldier/saUor/airman/marine, our border. The front 
line actually is the private sector, because as you were rightly say¬ 
ing earlier, who is going to attack a soldier? You are actually going 
to attack the power grid or the telecom or you are going to steal 
the national intellectual property, and how easy it is because we 
do not actually understand tne threat. 



41 


The awareness among CEOs or CIOs in the private sector and. 
indeed, in the public sector, is lamentable, and yet the threat and 
the way the America’s technological advantage, and the fact that 
we are the most wired Nation m the world, is being exploited on 
a daily basis is a national outrage, and yet here we are. 

Senator Liebbrman. Is there any way for a purchaser of a soft¬ 
ware system with a bug in it to determine that there is a bug in 
it as they use it? 

Mr. Adams. You can, but it is very difficult. It is rather—I would 
say that there needs to be some wav of a dialogue taking place be- 

• tween the traditional defenders of the nation-state, the intelligence 

community, the early warning system- 

Senator Libberman. Right. 

Mr. Adams (continui^]. And those that are in the front line and 
V need to be defended. Tnere is intelligence. There is information. 

There are things that you can do, but the degree of sharing of that 
knowledge is very, very limited indeed currently. 

Senator Libberman. One of the things that strikes me, and you 
referred to it in a way, is that not only would a hostile power or 
group think about string at purely private systems, but govern¬ 
mental systems and milit^ systems even use private communica¬ 
tion lines to convey information so that there is vulnerability in dif¬ 
ferent ways. So what you just said is very important: There is more 
electronic interdependence of public sector and private sector than 
we generally acknowledge, and, therefore, a true solution to this se¬ 
curity problem really has to be joint. 

Mr. Adams. That is right, and if you think about how we tradi¬ 
tionally see the nation-state, we see it as the government and the 
private sector goes on and does its thing and helps the nation-state 
when war breaks out. In the virtual space, war is going to be a con¬ 
stant. It is no different, if you like, to the way wo were with ter¬ 
rorism in the early 1970s, when Congress would have hearings 
about bombings and assassinations and the bombers and assassins 
could choose the time and place and the target. We were very 
undefended. We did not understand the problem. 

This is very similar to that, except the targeting has changed. 
The methods have changed. We are moving everything to the vir¬ 
tual space and the same actors are out there. It is just that we do 
not yet understand how to manage it, and it will be a comprehen- 
sive thing. There is no single fix. It is a series of things, some of 
» them being done by Cisco with some of the excellent things that 

they make, some of them being done with the public-private part¬ 
nership, some of them being dnven by leadership that is going to 
come mm people like yourselves. 

* Senator Libberman. Very interesting. As you both know but I 
think a lot of p^ple out there do not know, it was the Federal Gov¬ 
ernment, certainly through DARPA and the Defense Department, 
that did some of the initial work that led to the Internet and to 
the whole information revolution. Now, of course, we have fallen 
behind, certainly in this computer security part of it, behind the 
private sector that we in government gave biith to or spawned. 

Do you have any ideas for what we do to help ^vernment 
both be a stimulator, an incentivizer of more sophisticated com¬ 
puter security teclmology? Or in a broader sense, mnking perhaps 



42 


idealistically, what government can do to be a model itself, which 
it is not now, for computer security? 

Mr. Adams. If I can give you one statistic first, 20 years ago, 70 
percent of all technology development was funded one way or an¬ 
other in America by me American Government. Today, that is 
under 6 percent. So in a single generation, you had an absolute 
transfer of energy, drive, and power from public to private. So what 
that says is that there needs to be—the public sector is never going 
to be a model. It cannot move fast enough. It is never going to be 
a zero-sum game. You are never going to get rid of the problem. 

You are only goin^ to be able to effectively manage it. * 

So it is how to mco^pporate the private, how to see that the solu¬ 
tion is outside and bring it in, rather than thinking about it being 
inside and imposing it out, and it is a very different way of think¬ 
ing and a very radical way of thinking for government in its whole, ^ 

because government in its whole tends to think that I am the an¬ 
swer, and in this case, that is not it. 

Senator Lieberman. I also serve on the Armed Services Com¬ 
mittee. While this is not the perfect model and it is the minority 
of what happens, there is a lot more willingness to buy off-the-shelf 
today. In fact, some of our mcnor defense systems are being built 
in a way that allows parts to be pulled out and the newest parts 
from the private sector to be put in over time, and maybe that is 
a model for computer security, as well. 

Mr. Watson, ao you want to respond? 

Mr. Watson. Yes, sir. First oi all, it is true that the Internet 
knows no boundaries. There are no more perimeters, no more bor¬ 
ders. It is all cyberspace. 

Two things, though. Industry tends to develop things at Internet 
^ed and move a lot faster than most governments can move. 

Since industry owns and operates most of the infrastructures on 
which the government, both private government and the infrastruc¬ 
tures that we run, depend, it is our responsibility to do our part 
to develop solutions and we are doing that. 

Also, in our studies, we have discovered that you can spend a lot 
of time studying the threat, but it is a lot more profitable to look 
at vulnerabilities and solve those to raise the bar of security. So 
that is the direction that we are taking. We are looking at 
vulnerabilities and addressing those. That is why it is important to 
do security posture assessments, risk assessments, to look at where 
you are and to know what you can fix at zero or little coat, as the • 

NASA IG said. 

Two provisions of the S. 1993 bill, I think, are really important. 

One is that it does include security as an integrated part, compo¬ 
nent, of each ageniy's business model.and it emphasizes training * 

as essential. That is a multi-faceted problem. Training security spe¬ 
cialists is something we need to do and training everybody in the 
awareness problem and how users can better exercise security is 
im^rtant. 

Senator Lieberman. Should we be building on the DARPA 
model? Although again, maybe the private sector is zooming so far 
ahead that we do not have to do that. But there are certain areas 
in which, over time, we have foimd that because of market pres¬ 
sures, the private sector may not mvest enough in research and de- 



43 


velopment and so the government gets involved to do that. Is this 
an area where we ou^t to be targeting more Federal money in 
R&D and computer security breakthroughs? 

Mr. Watson. Before we will know the answer to that, it is iippor- 
tant to have some kind of a clearinghouse and finding out what in¬ 
dustry is doing, what academia is doing, what the government 
could target its money so it is not duplicating efforts. And I think 
the vehicle that we have in place right now, it is just a bennning, 
is the Partnership for Critical Infrastructure Security, and maybe 
the PCIS recommendation for the Institute for Information Infra¬ 
structure Protection might be able to be that clearinghouse. 

Senator Lieberman. Right. 

Mr. Adams. I also think, though, that the way of—-you take the 
DARPA model- 

Senator Lieberman. Right. 

Mr. Adams [continuing]. You speak to folks at DARPA ncv, as 
you, I am sure, know, they focus not so much on inventing the new 
but integrating what is ther^ a different thing. Private industry is 
moving very, very rapidly. Cisco invests more money in thinlung 
about new stuff, on securing the Web than the government could 
ever really get together. 

Senator Lieberman. So maybe there is not a need for us to do 
it if the market is driving it. 

Mr. Adams. But maybe there is a different way of doing it. I 
mean, what is there that the Federal Government can do to influ¬ 
ence the outcome for the Nation? Education is fundamentally im¬ 
portant. We go home at night, we unlock the door. We leave in the 
morning, wo turn on the burglar alarm, we look the door, we make 
sure the windows are shut, and so on.. Nobody is being trained in 
these elementary things. 

There is an enormous amount that could be done in education in 
schools, in universities, in funding programs, seed money that 
would ensure the security of the Nation going forward into this 
century rather than loolong at, well, we have put in a spot of 
money here, but instead thinking about this in a national context. 
What is the best for the Nation as a whole that we, the Federal 
Government, can facilitate, because the private sector is continuing 
again to drive this revolution. So education is extremely important. 
Awareness is extremely important. And this is a m^jor national se¬ 
curity issue, so there are things that can be done from the Federal 
down to the local level. 

Senator Lieberman. Thank you both. You have been excellent 
witnesses. I appreciate your time. 

Mr. Watson. Thank you. 

Chairman Thompson. Could I ask, just very brie^, how would 
you sell that from a national security standpoint? We talk about 
educating the young people and bridging the gap between the rich 
and the poor and cul chat, but how would you articulate the neces¬ 
sity to do that from a national security standpoint? These are Idds. 
They are obviously going to use it m the short-term for things 
other than that. But from a long-term national benefit, are there 
not going to be just specialists that do that sort of thing? For the 
masses, it is certainly beneficial and maybe necessary, but does it 
really have to do with national security? 




Mr. Adams. I would not posture it qiuite like that. Let me g^ve 
you a brief anecdote. I was in a meeting about national security, 
American national security, a little while ago talking about future 
threats, 5 to 10 years. There was general agreement that China is 
a veiy significant threat to the United States. 

At that same meeting, one of America’s leading high-technology 
companies, they had one of their senior officers there and he was 
describing how thev have had to make an investment decision 
about a new technology product that they are making, a new next 
step in the revolution. Tnis is an American company. Where do we 
go? We go to the place where there is a customer base, where we 
nave cheap labor and wo have a high number of engineers. Where 
do they build their new factory? Cmna. National security is irrele¬ 
vant. 

So the ar^ment is not national security. The argument is what 
is ^oing to be the resource for America in this century. Answer, 
trained and qualified people who can manage and master the revo¬ 
lution. As part of that, as part of that education process, just as 
you get trained in sanitation or good health practices, so you get 
trained in good security practices. It is part or being trained as an 
information specialist. 

Chairman THOMPSON. In order to remain in a leadership position 
in the global economy, you have to maintain the productivity and, 
therefore, maintain your technological advantages, and-therefore, 
you have to have the educational background. 

Mr. Adams. Exactly, and that is something that the government 
can absolutely influence the outcome of. 

Chairman THOMPSON. What kind of group was this that you said 
you just attended? 

Mr. Adams. I would have to talk to you about that outside. 

Chairman Thompson. All right. 

Mr. Watson. I would suggest incentives to collaborate with the 
private sector. Cisco networking academies are in all 50 States and 
25 foreign countries. We are adding security modules into that 
training. We build security training syllabuses and training part¬ 
ners deliver that training. We would view Federal requirements for 
security training as a market pressure and we would develop prod¬ 
ucts and services to meet that demand. 

Chairman Thompson. Mr. Watson, in your background with re¬ 
gard to information warfare, do you subscribe to the notion I have 
heard some say that it is almost for sure that in any future mili¬ 
tary attack, one industrialized country against another, that it 
would probably be preceded by a cyber attack? 

Mr. Watson. I would say that was possible and maybe even like¬ 
ly- 

Chairman Thompson. What would you think, Mr. Adams? 

Mr. Adams. I would say that most countries that have an infor¬ 
mation warfare capability see that as a precursor to full-scale war, 
and indeed, the full-scale war itself may occur in the virtual space. 
The interesting thing is that while America has a capability in this 
area, the lawyers have not yet decided what is war in the virtual 
space. So we may be attacked and in serious trouble before we can 
do anything about it. 



45 


Chairman THOMPSON. One final thing. Senator Lieberman and 
you mentioned the shift of capability from the government to the 
private sector and now we are here in our legislation trying to de* 
cide what ^vemment should be doing, first of all, about itself and 
managing itself. You heard the GAO testimony about tho govern¬ 
ment needing to decide minimum standards. 

I am wondering what is going on in the private sector out here. 
How is that going to interface with what we are tr^ng to do? 
Should the government be setting standards for itself, minimum 
standards and as it is purchasing the hardware, software, serv- 

* icing, and all from the outside, or should these be private stand¬ 
ards determined by the private sector that we incorporate? Do you 
see what I am trying to get at? How does that interrelate? 

Mr. Adams. I think there are two different things that you are 

* addressing. What we have at the moment as this revolution has 
unfolded is a multitude of standards—hardware, software, different 
in America, different in Britain, different in FVance, all over the 
world. 

Yes, it is a common arena, as Ken was saying earlier, and for the 
government or governments, more likely, tne World Trade Organi¬ 
zation to agree on a common standard is completely unrealistic, I 
think. It would take years and just will not happen. 

More likely will be if you go back to the housing proble.ns at the 
beginning of this century in the United States, a tremendous 
amount of poor housing that were in very bad shape. Nobody could 
anee what to do about it, but when the insurance industry said. 
On, here is a minimum standard or else you do not get insurance. 
If you do not have insurance, you cannot have a mortgage. Lo and 
behold, the standards raised up and the standards of housing went 
up with it. The market drove the solution, in other words, and I 
think exactly the same thing will happen here. 

There has been lots of talk about minimum risk standards and 
that needs to be applied. Two things will drive it. One will be down 
value chains. You are going to do business with me, you need to 
be affirmed at this risk level of some kind or another, certified at 
this risk level, and if you do not, then I am nob going to do business 
with you. 

And the second will be the insurance industry, which will say, 
if you are going to be insured with me, just like if I issue you with 

, a house insurance policy, you get 10 percent off for this burglar 

alarm, 15 percent off if you are connected to the police station, so 
it will be a similar thing in the virtual space. So those two market 
factors will drive it. 

« (!!hairman Thompson. So instead of the government requiring 

certain standards of private industry, private industry would be re¬ 
quiring certain standards from the government? 

Mr. Adams. Exactly. 

Mr. Watson. And we are already working in that direction. We 
are beginning to dialogue with the insurance and audit industries 
to develop standards, ^ere are no standards across the board for 
security posture assessments or penetration tests or white-hat 
hacking or whatever you want to call it. If you ask two companies 
to give you an assessment of your security, you will get two com- 



46 

pletely different answers because they are based on different stand¬ 
ards. 

There is no standard training program for net\ ork security engi¬ 
neers to certify that someone has the skill required to do that kind 
of an assessment. There are no standard ratings for security in a 
network. How would vou do that anyway? It would be an instanta¬ 
neous security state, but how would you say, if you have a firewall, 
you have one level of standard. If you have a firewall, intrusion de¬ 
tection, and remote monitoring, you meet another security stand¬ 
ard that could be insurable. Those are the kinds of questions that 
we need to address. * 

Chairman THOMPSON. Well, you know the GAO has these best 
practices and so forth. Do we not have any minimal standards, 
without being so minimal that they are meaningless? 

Mr. Watson. They are just not defined yet. ^ 

Mr. Adams. And there is no common language, we all speak—it 
sounds similar, but we all inte^ret it differently and you can give 
yourself a tick in the box which actually you are nowhere near 
where you should be. 

Chairman Thompson. Thank you very, very much. We appre¬ 
ciate it. 

Senator Libberman. Thank you. 

Chairman Thompson. The record will remain open for 1 week 
after the close of the hearing. We are adjourned. 

[Whereupon, at 12:50 p.m., the Committee was adjourned.] 



APPENDIX 


rnipM#d •CAtMMAt Of tovio Kitolck 

Hof^oriUf ChAirptrton Thompioa Strvi(orf« tnd Mcmbtrs of tht Con\iniit4e. 


My f\tmf if Ktvin Mitnfck I §ppw btfoct you today to dtioiis your tffgrti lo emit 
Itf^doci that wiU 9nmut th« futurt tr>d itUt bility of inloroubon tyfCcms owr^d 

•Ad qperatid by, or orv bchdlf oi iht ftdtriJ govrmQimt 


I am pniiunly MU>Uusht My hobby m an •dof.fcictTVt coruiitrd of ifudyinr mtihodj, Ucticj 
•Ad ttnUgiM uftd to drcumvmt ainpuitr focurity, tnd lo leam mort about how cooiputW * 
ayalrmf ai^ ItitcnaunuhicatioAiyittsni work ^ 

In X9$5 1 graduittd cxim Uudt to Coo^lrr SytlCfAf and Programmtog from a tc<hr^caJ 
tof Aisftiu, CaUfomia, and went on to auocmfuUy ooinp!«tt a poat-^mduatr 
pio^todaii^ntogwtoimoadatcuntyap^^ IhatranontopofacompuUr^aoperattoa 

f^i***^ 

haoMT thaodwfiad m toikratocf rtaUaod f vriolvkidnf into thtiroomputwt to wayi that 
myoMdAl prtvtnt, and ao thiy aiM mt to dciifn atcunty w^hanccmanti that would itop 


I hav(t 20 yaan aiqpfiiarM otocumvtnttog tofbemation atcunty imafurea, and can raped that I 
*^*°° ***^ y oompcoodfad all tyattma that 1 targttad for unauthorittd accaaa aavt ont. 1 
hav« two yoan txporitnot aa a private tovasti^ator, and my mpormUUUm indudad tocattoc 
poppia ar^ thair a i a d a udng lodal enttoatoAS technfquat. 

My experitnet and micom at aocaaatog and obtatotof tofonswtion from cooiputcr fvittnvi 
ftrft drew nationai attention when I obtatoad user manuals for the COSMOS computer 
syitems (Coonputar SyiUins for Matoframt Operations) used by Pacific Wi 

Ten years later tha Aovtl *CybcrpuAk* was published to 1991, which purported to be a’true* 
accoundi^ of my actioni that foiulted to my armt on fadtral charges in 1961 One^lhe 
authon of U«t novel want on to unrite liimlariy fictionalized 'rtporti* about mt for tha New 

appeared July 1199t ^t largdy fictitious story 
UMfd me, without reasoa fuabficaborv or proof, as the 'world’s meet wanted cybrrcriminal.' 
Subeaquant madia rtporte distorted (hat claim into the false daim that t was tha first hacker on 
the FBI’s Ten Moat Wanted' list That falsa exaggerabon wm most recently repeated during 
my appearer\ca on ChThTs Burden of IVoof program on February 10,20CX). Michael White of 
tha Aaaociited f^aas rescvchad this isma with the FBL arvl FBI le p ri s e n tabves dtrded ever 
induding mt on thair Ten Moat Wanted' list 

ve gained uiuuthorirad access to oom|Xjter systems at some of the largest corporsboni on 
the pUrwt arui have tucctssfully penetrated some of the most resdicnt computer systems ever 
divtlopod. I have used both technical and nondcchnical mearxs to obtain the source code to 
vinous operabrvg systems and telecommunicabonf devices to study their vutocrabilibes and 
their torwr workingiL 

Aftcrmy arrest in 1995,1 spent years as a pretnaldctatoea ^thout benefit of baii, a bail 


Fateuarysism 


JC Miv** Sinamars to Serwe Gevn Aliteri ConwM 
Pigiidl 


(47) 



hearing, and without the ability to ace the evidence a^dnat me. combined drcumatancce whkh, 

are unprecedented in U.& history according to the reaearch of my de/cnae team. InMarchof 
19991 pled guilty to wire fraud ^ computer fraud. I wai sentenced to 68 months in federal 
prison with 3 yean supervised rctiaac. 

The s\q>erviaed release restrictions imposed on me are the most restrictive corulitions ever 

impos^onanitvlividua]inU.& federal court, again according to the research of my defense 

team. The conditions of mpervised release include, but are isot limited to, a complete 
prohibition on the poaacssion or use, for any purpose, of the following: cril phones, 
computers, any computer software prograow, computer peripherals or support equipment, 
personal iirfornution assistants, modems, anything capablt of aooesaing computer rwhvorks, 
and any other electronic equipment presently available or iww technology that becones 
avallaUe tirat can be oonverted to, or has as its frmetion, the ability to act as a computer system 
oc to access a computer eystenv computer ixetworit, or teteccnummications iwtwork. 

In addition to these cNtraordiiwey conditions, I am prohibited from acting ae a ooncultant or 
advisor to individuals or groups engaged in any computtr-related activity. {am also 
prohibited frem acceseing computen, computer nehvorks, or other forms of wireless 
conunxmlcatiortt mysdf or thrcMgh titird perties. 

I was released from federal prison onjanuatv 21,2000, just 6 wedesaga I served 59 months 
atui 7 days, after earning 180 days of time off for good behavior. I am permitted to own a lard 
line telc^ona 


G>mputer Systems and Their Vulnerabilities 


The goal of irxfonnation security is to protect the integrity, confidcntialily, availabUi^ and 
access cor\trol to the infonnatioa Secure information is protected against tampering, 
disclosure, and sabotage. The practice of information security reduces the risk assodated tvith 
loss of trust in the Inte^ty of m information. 

Irdormationaecurityiacoinpiued of four piima^ topics: physical security, iwtwork security, 
computer systems securi^, and personnel eecurity. Each of lhase four topicc daaerves a 
Mmplete book, if not several books, to fully document them. My presentation today is 
intended to provide a brief overview of th^ topics, and to present my recommendations for 
the manner in which the Gxnmittee may create effective lej^ation. 

1. Physical Security 

1.1 UircontroUed physical access to computer systems and computer rretworks dramatically 
increases the likdihood that the system can and tvill suffer unauthorized access. 

Ll.l Hardware Security 


Fafaa«ryS9.2000 


K MlrSckStalsmentoStnitiOoVn AiMrsCommSlM 



49 


Con^putert m«y be locked in roomi or building with security cemeru, end cypher- 

controlled doora. The greatest risk to infonnation security in apparently secure hardware 
environments is represented by employees, or impostors, who appear to possess authorization 
to the secured space 

1.1.2 Data Security 

Many government agendas require iormal backup procedures to imsure against data loss. 
Equ^y stringent Requirements must be in place to ensure the inte^Tity and security olf those 
backup files. Intruders Who cannot gain access to secure data but v/ho obtain unauthorized 
access to data backups successfully compromise any security measures that may be in place, 
and with much less risk of detection. 

Z Network Security 

Z1 Stand-alone computers are less vulnerable than computers that are coiuvtcted to any 
network of any kind. Computers corerccted to tMtworks typically offer a higher inddence of 
miaconfiguiatiatv or iivippropriatdy enabled services, than cem^ters that are not connected 
to any iwtwock. The hierarchy of rwtwork ‘Truecurity* is as follows: 

» Stand-alone computer • least vuliurable 

- Computer cormected to a LAN, or local area rretwork * more vulnerable 
>• Computer and a LAN accessible via dial-up • even more vulnerable 
*• Computer and LAN connected to internet - most vulnerable of all 

Zl.l UnciKrypted Network Communicatioru 

Unencrypted netwoik communicaliani permit anyotw Vrith f^ysical arxess to the network to 
use software to monitor all irdonnation Iravelmg over the network, even thou^ it's inteivled 
for sonreotu else. Once a network tap is irutall^ intruders can monitor all network traffic, 
and install software that enables them to capture, or "stuff," passwords from network 
traruinissiuns. 

Z1.2 . Dial-in Access 

DiaNn access increases vulnerabilibes by operdng up an access point to anyone who can 
access erdmary telephone Imes. Off site access maeases the risk of intiudos gainiirg access to 
the network by increasitvg the accessibility of the network and the remote computer. 

3. Computer Systems Security 

3.1 Computer systems that are not connected to any nehvork present the most secure 
computing envirortmenl possible. However, even a brief review of standalone computer 
systems reveals many ways they tiury be compromised. 

3.1.1- Operating Systenu 

The opmting systems control the hmetions of die comDuter how information is stored, how 
memory is managed, and how infonnation is diqilayed - it's the master progra<n of the 
machine. At ib core, the operating system is a group of discrete software programs that have 


Fet>njuy29.2000 


K. MKnick lo 8*mti GoVM Affain CommtM 

Pmq$ ^ai$ 


50 


been uscmbied into a Urgcr program containing nuUions of lints of oodt. Lantt modem duv 
operating systems cannot be thoroughly tested for security anomalits, oc Tiole? which ^ 
represent opportunities for unauthorind access. 


3.1.2 R^ut Sc^tware Programs 

"Rogue" s^are applications can be installed surreptitiously, or vdth the unwittinjj heio of 

Install a "back door", which usuaUy consists of prt^rSnm&g 
Loftructionf thit ^bltx>Ucur« stomty ftttings in an openUng syitim and Ihat^Wa ^ 

some bact door programs even log the passwords used to 
gain access to the oompromised system or systems for future use by the Intiuder. 

3.1.3 Ineffective Passwerds 

Computer users often choose passwords that are in the dictionary, ct that have personal 

sutic, or unchanging, passwords representanother easy 
^ •pw^ordiHompto^^ user and ti 
^tem administraton have no way of knowing the paasword is known to an intruder. 

wnonKticti^ passwords are proUematic far many users, who write 
down ^ Imp them near thsif computers for easy access - their own, or anyone who 
breeches physfcel security of the computer installatiorv 


3.1.4 Uninstalled Software Updates 

Out-^-date extern Mftware containing known security problems presents an easy target to an 
mtruder. Systems administnitori cannot keep systems updated as a result of work overload. 

^ o< »y*tems are pubUeixed, and out-of^ab- 

systemi typically offer wcii*Known vuIneratTiUties for twy acccas. 


3.1.5 Default ImtaUations 

Default inatallationa of acme operating lystema disable many of Qie buUt*in security'features 
in a given operating systexa lnadcUtloas>^«niadmmUtrator9uiunlenUonaUy xmsctmfigure 
syjt^, or include unnecemiy service* that may lead to unauthorised accea*. Agaia u5se 
weaknesses art widely pubiidxed within the computing COTvmunity, and default oc 
misconfigurtd instalUtionf present an easy target 


4. Personnel Security 


4.1 The most complex element in informatian security U the people who use the systems in 
which the Information resides. Weaknesses in personnel security negate the effort and cost of 
the other three types of security; physical networks and computer system security. 

4.1.1 Social Engineering 

engineering, or "gagging- is defined as gaining intelligence through deceptioa 
mployees are tr^ed to be helpful, and to do what they are told in the workplace. The 
skilled social engineer will use tt\ese traits to his or her advantage as they seek to gain 
information that will enable them to achieve their objectives. 


a 


a 


fatxvjiry29.2000 KMitrtckSiitamaff toSsfetsG<>vn AflsCiC^ 

Page aofS 


4 


a 



4-0 Emuil AtUchmmts 

Email attachments may be sent with covert code embedded within. Upon receiving the email, 
most people will launch the attachment, which can lower the security settinn on the target 
machine without the user's knowledge. The likelihood of a succmM installation usii^ this 
method can be irKreased by following up the email submittal with a tdephcne call to ^xMnpt 
the person to open the attachment 

Information Security Exploits 


Information security exploits are the methods, tsctics, and strategies used to breach the 
integrity, confidenbality, availability or access control of infonnation. Discovery of 
compromised infonnation aecudfy has several consequences, the most important of which is 
the decline In the level of trust associated with the compromised infonnation atKl systems that 
contain that information Examples of typical security exploits follow. 

5. Physical Security E)q>loits 

5.1 Data Badcup Exploit 

Us^ deception or sheer bravado, the intruder can walk into the off site backup storage 
fadlity, and aak for the physical data backup by pretending to be from a certain agency. The 
intruder can daim that particular backup is necessary to perfonn a data restoration Once an 
intruder has physical possession of the dats the intruder can work with the data as though he 
possessed superuser, or system administrator, privileges. 

5.2 Physical Access Esqrioit 

If sm inbuder gains j^ysical access to a computer aiul is abit to reboot it, the intruder can gain 
complete oontr^ of the q^stem and bypass all security measures. An extremely powerful 
exploit, but one Out exposes the intruder to great pcrmnal risk because they’re physically 
present on the premises. 

5.3 Networic Physical Access Emkrit 

Ph 3 raical access to a ivetwork enables an intruder to install a tap on the network cable, which 
can be used to eavesdrop on all network traffic Eavesdropping enables the intruder to 
captun passwords as they travel over the network, which will etuble foil access to the 
machines whose password are oomprotnised. 

6. Network Security Exploits ^ 

6.1 Network software easts that probes computers far w e aknesses. Once one system 
weaknessM are revealed and the cystem is com p romised, the intruder can install software 
(called "snifferi' software) that oomprotnises all systems on the network. FoUovring that, an 
intruder can iiutall softwioe that logs the passwords used to access that compromi^ 
machine. Users routinriy use the same or similar passwords aooss multiple machines; thus, 
once one password for one machine is obtained, then multiple machines can be compromised 


F«tiiuiry29,2000 


K. Utrfck Sutwiart 10 Swum Oovn Alfalrt CommlSM 





62 


(»M Tirrsonnel Security Eiqploib*). 

7. Computer Syitem Eifpteiti 

7.1 vilnerabUitiee in programf (e.g., the UNIX progrwn eendmtil) on be exploited to gnin 
remote »ocie« to the target oon\puter. Many »y*tem progruns contein buM tlut enable the 
intruder to trick the toftware into behavirvg in a way oUw than that which is intended in order 
to gain uruuthorized aocees rights, even though the apf^cation is a part of die operating 
system of the ccenputer.' 

7.2 A misconfigured installation on a computer in operation at the Raleigh News and, ^ 

Observer, a paper in Raleigh, North Carolina, demorutrates the problematic aspect of system 
miKonfiguration. Using the UNIX program “Finger,*'which enables one to identify the users 

that are currently logged into a coinwter system, I aeated a user name on the computer 

system I controUed. The user name] assigned myself matched exactly the user name d\at 

existed on the target host The misconfigured system was set to “tmsT any coaster on the ^ 

network, which left the entire network open for unauthorized aocesa 

6. Personnel Security Exploits 

8.1 Sodal Engiiwering *• involves tricking or persuading people to reveal iidormation or to 
take certain actions at the behest of the intruder. My work as a private investigator rdled 
heavily on my skilla in sodal engineering. 

In my successful efforts to sodal sngineer my way into Motorola I used a three-level sodal 
engineering attack to bypass the information security measures then in use. First I was able to 
convince Motorola Operations employees to proWde me, on repealed occasiona the pass code 
on thdr security access devioa as well as the static PIN. Tha reason this was ao extraordinary 
is that Iht paaa code on their access device clu Jiged every 60 seconds; evsry time I wanted to 
gain unauthorized aocesa I had to call the Operations Center and ask for tiw paeswotd in 
effect for that minute. 

The second level Involved convincing the employees to enable an account for my use on one of 

their madunes, and the third Is vel involved convin^ one of the engineejs who was already 

entitled to access one of the coowters to give me his passwo^ I overcaoie that engineers 
vigorous rviuctance to provide the password by cenv^dng him that ] was a Motorola 
eoiployct, and that I was looking at a foitn that documented the password that he used to 
access his personal workstation on Motorola's network •• despite the fact that he never filled 
out any such formi Onoe I ^ned access to that machine^ I obtained Telnet access to the target 
machine^ access which 1 hadmght all along. 

8.2 Voice Mail and Fax Exploit 

This cq>loit relies on convincing an employee at a large company to enable a voice mailbox: 
the intruder would call the people who administer the voice mailboxes for the target company 
and request a xnaUbox. The pretext would be that the intruder wodcs for a different divisioa 

f$bnMfy 29.2000 1 C MltricS SUlamani lo Smii Ciovd Affa^ 4 


a 




53 


and would like to retrievt messages without making a toU call 

Onot intruder has access to the voice mail system* the intruder would call the recepdofust 
represent Hmself as an tmploytt ^ the company* and ask that they take messa^ for hmv 
last but not least the intnjder would request the fax number sM ask that incoming faxes 
hdd for pickup. This sets the stage for the call to the target division of the company. 

At this point the intruder would call the target division to initiate the fax exploit with the goal 
of obtaining ttvt targeted'oonfidcntial company information. During that call the intruder 
would identify himself as an cn^oyee of the division whose voice mail and fax systems have 
|u8t been co mp ro m ised* he would dte the voice mail bcM in support of Hs identity* aivd would 
social engiiwcr the target employet into faxirtg the target informaticn to the compromised fax 
number located at one oif their other offices. 

Now the intruder would caD the receptionist tell the receptiomst that he*s in a business 
meeting, aivl aak that the receptlcmift fax the conadential material to the hotel.- The intruder 
picks up the fax oontaming confidendel infdrnvatiQn at the secorKlary fax* which carxnot be 
traced beck to cither the Intruder or the targeted coenpany. 

1 used this exploit to suocessfuUy compromise ATTs protected network access pomts 
routinely. ATT had learned that a system had bem com p rom i sed by unauthorized entry at a 
central network access point called "DataKit- They imposed network access passwords on all 
DaUtOti to inhibit umuth orUed access. 1 contact e d o|>e of the TnerngT*a se er eta rifes ard used 
the Fax Exploit to ccmvlf«e the seoetaiy to fax me the password that enabled access to a 
* DataWt that coi\troUed dial-up access to ATTs worldwide computer network. 

9. Reqcimmcrvclations 

The Voice Mail and Fax E^q^loit demorxstrales the most important element in my testtaony 
today: that vexiEcation mechanisms are the %veak link In infdnnation security* and voice mail 
and fax are the tools used to verify the autherxtidty of the credentiaU presented by someone 
seeking physical* rwtwork* or ownputer systems access. 

The methods that vrili most effectively minimize the ability of infcmders to compromw 
mfocmation security are oomprdvaruive user train^ and education. Eiuctmg policies and 
procedures simply wonT suf6ce. Even with oversight the policies and procedures may not be 

effective: myaccesstoMotCKoU*Nokia* ATT* Sun depended iqxm the willingness of peopie to 

bypass poiicics and procedures that were in pUce for years before I compremised them 
successfully. The corporate security measures that I breached were created by son^e of the best 
and brightost in the business, some of whom may even have been consulted by the committee 
as you drafted your legislatioa Senate BUI SI993. 

S1993 IS represenls a good Hrst step toward the goal of increasmg information security on 
. - government computer systems. I have several recommendations that I hope will increase the 
effectiveness of your bill. 


a 


a 


Mt\my29,2000 


K. Mitnidc SutnrnsnC to Senilt QovTf Affslrs CommttM 

Ptgarota 



1 . Each agtncy perform a thOTOu^ risk asMssm«nto(thtasMts they want to protect 

2. Perform a cost-benefit analysis to determine whether tt»e price to protect those systems 
represents real value. 

3. Implement pdicies, procedures, standards and gwdclines consistent with the risk 
assessment and cost benefit atudyses. Emptoyee training to recognize sof^ticated social 
engineering attacks is of paramount importance. 

4. After implementing the poUdes, procedures^ standards arrd guidelines, create an audit and 
oversight program that measures compliance throughout the affected government agendcs. 
The frequency of those audits ought to be dctamiiwd consistent with the mission of a 
particular agency: the more valuable the data, the more frequent the audit process. 

5. Create a numeric Trust rankit^g" that quantifies and summarizes the results of the audit and 
oversi^t pograma desonbed above. The niunerie Trust rarvking* would provide at-a-^ance 

rartking - a rqxxt card, if you win - of the d>aractetistics that comprise the four major 
categories defined above: jrftyaical, network, computer systems, and personiwL 

6. Effective audit poccdures - implcmenlcd from the ^ down - must be part of an 
appropriate system of rewards and consequences in order to motivate system administrators, 
personnel maiii»s, ai^ govetrunent empoyees to maintain effective Wormation security 
consistent with m goals of this committee. 

Condusion 


Obviously a brief presentation such as the one I've made today cannot convey adequately the 
measures needed to implement effective infornution security measures, fm happy to answer 
any quesUuru that n»y have been left unanswered for any members of the Committee. 


Ftbruuy 29,2000 


K. MRrfck Suamwt to Sereu Govn AR«!(t ConvnRM 



65 



IhiitMl Stfttet Otoml Aeeontiai OfSkm 

GAO 

Testimony 


Before the Coinndttee on Oovvnuncntal AfEiin, UA. 
Senite 


For l«ltM Ml Miwf 

SitMMtl 

INFORMATION 

Mudi 1,1000 

SECURITY 


Comments on the 
Proposed Government 
Information Security 
Act of 1999 


Scctcmcnt of Jtck L atDck, Jr. 

Dtrocior, OowninentwliW iod M 
Aocxjumli^ aiKl lAfbRnatkm Muuifen^ 




GAO 

AccauwtifcWy.lnlitrtfr.lWaMWir 


GAO/T-AIMDOO-IO? 





66 


Mr. Oudraun mkI Meaabcnof the Coounittee: 

I un plcMed to be here to dieoui S. 1993. the Ooverment bifonnetion Security Act of 1S>99, 
which eeeia to ttrengihea infoniuttion security prectioet throughout the fedeni govetiunetiL 
Such effoits ere oeceemy and criticsl. Our work hes shown diet ahnost all gomnmeatageodes 
ate plagued by poor computer security. Recent eveoti such as the denial of service attacks list 
month indicate the damage that can occur when an oiganizalioo'a computer security defenses are 
breached. However, Mr. Chainnan, let me emphasise that the potential for more serious 
disn^on is si^iificanL As I stated in recent tesdmony.'ournatioo's computer-based 
inhastructuresareatincteatmgtitkofseverBdisniption. The dramatie increase of computer 
interconnectivity, while benefidtl in many ways, hu provided pathways among systems that, if 
not property secured, can be used to gain unauthorised access to dau and operadoot from remote 
locations. Oovemment offidalt are increasingly worried about attacks from individuals md 
groups with malicious intentions, such u terrorists and nations engaging in infbcmation warfsre.’ 

S. 1993 provides oppoftunitiei to address this problem. Q tqrdates the legal inmewotk that 
supports federal informatioD security requiienientB and addresaes widespread federal infotmsrion 
security weakrtesset. In particular, the tnll provides for a risk-based approach to information 
security snd independent annus! audiu of security controls. Moreover, it qrproaches security 
from a goverrunentwide perspective, taldng steps to accommodate the sigolficantly varying 
information security needs of both nsdonsl security and civilian agency operations. 


' Critical //[ftastneturt Prdcetion: Commttus on iht Nakmal Plan for h^ormction Sjttmt Protection (OAO/T- 
AIMD^72. PebniMy 1.2000). 


4 


1 




67 


Mr. Chiinnaii. 1 would like 10 dUcuu bofw ihe«e propoMU can kad to lutwuoliaJ inqiroveineatt 
iafedend«BBiicy|>erfbniiaitceineddreuiii(ooinpulereecaiityiaiaec. badditkNi,IwouldHke 
to niae two eddtioiu] cooccma—the need for better-defined cootrol tundanit and centnUized 
leadenhiiH-tfaat,ifaddteaaed,couldfuitheratiengthen8ecuritypf«cticei aodoveraiibt. Theae 
two coooenu merit farther atteotioo u die Co mm i t tee movea ahead with ita woric in thii area. 


nffORMATIQN SBCURHUMPR 

ARB XJRQHNTIY NRRDHn 




Improvementa in agency information aecurity practicea are sotely needed. CXir October 1999 
aiulysia of our own and inapector general audita found that 22 of the largest federal agencies 
were not adequately protecting critical federal operatiohs-and ataeu from computer-baaed 
attacks.* Highlighting atteattion to this problem over the paat .l2roontfat was the disrtqition of 
operatioot at some govnnment agencies caused by the Melissa computer virus as well as a series 
of federal web site break-ins. As in past snalyses, we concluded that addrewing this widespread 
artd penistent problem would require significant management attention and action vrithin 
individual agencies as well as increased coordination and oversight at the goveromentwide level. 

Our most recent individual agency review of the Environmoital Protection Agency (EPA), 
corroborated our govemroentwide analysis.* Overall, we found that EPA's computer systems 


' Critical lr\fraiiivttun Frottetion: Cotnprtkauivt Smucgy Can Draw on Year 3000 Experiences (OACVAIMD. 
00-1, October 1.1999). 


' Information Staaity; Fundatnetaal Weaknesses Place EPA Data and Operations at Eltk (OAOn'-AlMD-00-97, 
Febnury IT.^OOOX 


2 





58 


and the opentkxu that lely on iheM wwft Mghly vulaerible 10 tampering, disniplion. 
andmiauae. EPA’aowanconiiideatMiedteveralaenoui computer ioddeata in the Uat 2 yean 
that resulted in damage aoddianiptioe to agency opemiona. Moreover, our tesU of con^puter- 
baaed cootrola concluded that computer operating systema and the agency wide computer 
netwoilc that support most of EPA*a milaioiMclated and financial opentkmi were riddled with 
security weaknesses. EPA it currently taking significant itqw to addreu these weaknesses. 
However, resolving EPA't infonnation lecuiity problems will require ndwtantiid ongoing 
management attention since security program planning and management to date have largely 
been a p^wr exerdae doing little to substantively identify, evaluate, and ndtigaie risks to the 
agency's daui and aystemt. Any fixes made by EPA to addreu ipecifie control weaknesses will 
be tenqwrary until these underlying management issues are addressed. 

EPA is not unique. Within the pul 12 months we have identined significant management 
weaknesses and control deficiencies at a number of agencies that effectively undermine the 
integrity of their computer security operations. 

• In August 1999, we reported* diat pervasive weaknesses in Department of Defense 
information security continue to provide both hackers and hundreds of thousands of 
authoiixed users the oppoitimity to modify, steal, inappropriately disclose, and destroy 
sensitive DOD data. Among other things, these weaknesses impaired DOD's ability to 
control physical and electronic access to its systems and dau; ensure that software running 


' DOD In/onnoilon Stcurtif: StrUfia Wtuk/iuj4t 'ContIntM $o Mact D^ftnu Opertllotu itl KUk (OA(VAIMD*99- 
t07,A«|un26.1999). 


3 


4 - 



59 


00 itt (yrteiM it ptoperiy autborized. teated, and fuoctkoing u inteodad; and ittume 
opendofu in the event of a dUaiter. 

• InMay 1999, we lepofted* that, as part of our tetu of the National Aeronautic* and Space 
Adminiitntioo's (NASA) computer-based controls, we successfully peaetrated several 
mission-critical systems. Including one le^KMisible for calculating detailed positioning dau 
for each orbiting spacecraft and another that processes and distiibutea the adentiftc dau 
received ftom these spacecraft. Having obtained access, we could have disrupted ongdng 
command and control operations and modified or destroyed system software and data. 

• In August 1999, an independent accounting firm reported* that the Department of Sute's 
mainframe computers for domestic operations were vulnerable to unauthorized access. 
Consequently, other systems, which proceu dau using these compuun, could also be 
vulnerable. A year earlier, in May 1998, we reported^ that our tesu at State demonstrated 
that iu computer systems and the information they maintained were very susceptible to 
hackers, terrorisu, or other unauthorized individuals seeking to damage State operations or 
reap financial gain by exploiting the dquitment'a information security weaknesses. 


* Information Stcarity: Many NASA MUtion-Critical Sytiemt Face Serioat Riskt (OA(VAIMD-99-47, May 20, 
t999). 

* Audit of the Department of State’s 1997 and I99S Frincipa! Financial Siaiementt, Leonard O. Bimtwuffl and 
Company, LLP, Auguti 9,1999. 

’ Comptaer Security; Fentatlve Seriotu Weaknettes Jeopardise Stale Department Operadom <i3AO/AIMD-98- 
US, May 18, 1998). 


4 



• In October t999. we repotted* dutKiiouiweaknettet placed Mositiveiiifaniiiition 
bekmging to the DqMitmeat of Vetenni Affain (VA) at risk of irtadveitent or delibettte 
misuse, fraudulent use, I m prop er dlicloture, or destiuctioo, poetiUy occurring without 
detection. Such findings were paiticulatfy troublesome since VA ooUects and maintains 
sensitive medica] record and benefit paynwat infonnatioa for vetetara and family mendiers 
attd It tespontiUe for lent of UUiont of dollars of benefit payments annually.' 

Although the nature of operations and related risks at these and other agencies vary, there are 
striking similarities in the qwcific types of weaknettet reported. The following aix areas of 
managnnent and general control weakrtesset are repeatedly highlighted in our reviews. 

• BntitywU$ Sieurij Program Planning and MenagnuiU. Each Oiganization needs a set 
of maruigenwnt procedures and an organizational framework for identifying and assessing 
risks, deciding what policies and controls are needed, petiodicaliy evaluating the 
eflecdveness of these policies and controls, and acting to address any identified weak ne sses. 
These are the fundarrtental activities that allow an organization to manage its infonrration 
security risks cost effectively, rather thsn reacting to individual problertu ad hoc only after a 
violation has been detected or an audit finding hu been reported. Despite the importance of 
this aspect of an information security program, we continue to find that poor security 
planning and management is the rule rather than the exception. Most agencies do not 
develop security plans for major systems based on risk, have not formally documented 


' li^rmarian Sysitms: Tht Siauu Computtr Stoutly or iht Dipcitment of Vtttrant Affdin (OAO/AIMD-0(M>S, 



Mcarity poUckt, and have not implemented pfognuu for tetdng Hid evaluatinf the 
effectiveoeM of the oontrob they rely 00 . 

/tee«M CmU^vI*. Aooeu oontrolt limit (»'delect inappropiiile MceM to computer iceoutcet 
(due. equipment, and fadlitiee) thereby piotecdog tbeae leaourcca againat unauthorized 
modificatioa, lost, and diackwire. They ioclude pbyaical protectiona, auch as gates and 
guards, u well as logical controls, which are oontiois built into software that (1) require 
uaera to authenticate dteroselvea through pasaworda or other identilkn and (2) limit the fUea 
and other resources that an authenticaled user can accere and the actions that he or she can 
execute. In many of our reviews we have found that managers do not identify or document 
access needs for individual users or groups, and, at a result, they provide overly broad 
access privileges to very large groups of users. Additionally, we often find that users share 
accounts stKi passwords or post pauwords in plain view, making it impossible to trace 
specific transactions or modifkationt to an individual. Unfortunately, u a result of these 
and other acceu control weaknesses, auditors conducting penetration tests of agency 
systems are almost always successful in gaining unauthorized acceu that would allow 
intruders to read, rrtodify, or delete data for whatever purposes they had in mind. 

Application Softwar* Dwtlopmtni and Changi ControU. Application software 
deveiopmoit and change controls prevent unauthorized software progrems or modificstiont 
to prograitu from being implemented. Without them, individuals can surreptitiously modify 
software programs to include proceuing steps or features that could later be explmted for 
personal gain or sabouge. In many of our audits, we find that (1) testing procedures are 
undisciplined and do not ensure that itTq>lemented software operates u intended, (2) 



iinpkoientitjon pnxedutet do no( eiuure dut only atthoiued (irftwtte it UMd, and (3) 
aoceu to toftwne pfogram tibnrie* U inodwpmety oontroOed. 

SegrtgatioHtffDMtUg. Segregation of ^ei t^en to the polidei, prooedutei, and 
organiiadonal ttmcture that help enaure that one individual cannot independently control all 
key aapecta of a prooeaa or con^ter-related opention and (hereby conduct unauthorized 
actions or gain unauthorized acceaa to aaaeta or records without detection. For example, one 
computer progmniner should not be allowed to independently write, test, and approve 
program Ranges. We commonly find that ctHnputer programmers and operators are 
authorized to perform a wide variety of duties, thus providing them the ability to 
indqrendently modify, circumvent, and disable system security features. Similarly, we have 
also identified problems related to transaction processing, where all users of a financial 
management system can iitdependentiy perform all of the steps needed to initiate and 
complete a payment 

SjtUm Sofiwan CoiUroU. System software controls limit and monitor access to the 
powerful programs and sensitive filet associated with the computer systema opention, e.g., 
operating systems, system utilities, security software, and database management systems. 

If controls in this area are inadequate, unauthorized individuals might use system software 
to circumvent security controls to read, modify, or delete critical or sensitive information 
and programs. Such weaknesses seriously diminish the reliability of information produced 
by all of the applications supported by the computer system and increase the risk of fraud, 
sabotage, and inappropriate disclosures. Our reviews hequently identify systems with 



httuflkkntly itttricted accew which m a k e * it powibie for knowledgeable iodividiiiU to 
diaable or dircumvcat contrala in a wide variety of way*. 

• Sink* QmdiaUtj CtntnU. Service obniinuity control* ensure that critical opendona can 
continue when unexpected eventt occur, such as a tetnporsry power failure, accidental lots 
of files, even a mi\)or disaster such as a fire. For this reason, an agency should have (1) 
procedure* in place to protect information resources and minimize the risk of unplanned 
intertupdon* and (2) a plan to recover cridcal opeimdons should intenupdon* occur. At 
many of the agencies we have reviewed, we have found that plans and procedure* are 
incomplete because operadon* and supporting tesouree* had not been fully analyzed to 
determine which were most critical and would need to be restored fiisL In addition, disasta 
recovery plans are often not fully tested to identify their weaknesses. As a result, many 
agencies have in adequa t e auurance that they can recover operational curability in a timely, 
orderly manner after a disruptive attack. 

Unfortunately, in addressing these problems, agencies often react to individual audit findings as 
they are reported, rather than addressing the systemic causes of control weaknesses—namely, 
poor agency security planning and inanagemenL S. 1993 recognizes that this approach is 
unworkable in today's environment 




S. 1993 l>RQPOSALS CAN USADTO IMPROVED 

IMPQBMATIQN SBCURTTY MANAqfiMPfT 


S. 1993 itaiU with the basic premiie that computer Mcurity can only woric within agencies if a 
strong management frsroewori is in place. The bill, in fact, inooiporates the bade tenets of good 
security management found in our report on security practices of leading organitatiorts prcpaivd 
at your request in 1998.* The Un proposes improvenrentt in three significant areas: 

• following a risk-based approach to infonnation security, 

• performing indq;>endent annual audits of security controls, and 

• approaching security from ii govemmentwide perspective taking into account the varying 
information security needs of both nstional security and civilian agency operations. 

If effectively implemented, these proposdi should help federal agencies improve their 
information secxirity practices und considerably strengthen executive branch and congtessiond 
oversight 

The first improvement area would require a risk management approach to be implemented 
jointly by egeiKy program managers and technical specialists. Inshtutiog such an approach it 
important since agencies have generdly done a veiy pocH’job of evaluating their information 
security risks and implementing appropriate controls. Moreover, our studies of public and 


* Information Stcurily Managemetit: Leamint From Lutdinf OrtanliotUiru (OACVAIMD-9S^St, May 1998). 



65 


private best pnctioet have ihowa that effective aecttolty profraiD mantgeanent itquiies 
ht^katentixig a prooeia that ptovidet for 

• aaaeaaini information aecuritytiaka to program operatioiu and aatett and identi^nf related 
oeedi for protecdoo. 

• aelecting and in^kmenting cootioU that mem ihcate needs, 

• promoting awateoeai of risks and lesponsiMUttes. and 

• iaqrleinenting a program for routinely testing and evaluating policy and control effectiveneM. 

The key to this process it recognizing that information security is not a technical matter of 
locking down tystena, but rather a marugemeot problem that roquiteaundeisUiidiiif InfbnnoiQn 
security risks to program operations and attett and ensuring that appropriate steps are taken to 
mitigate these risks. Thus, it it highly appropriate that S. 1993 requires a risk management 
^rproach that incorporates these elements. 

The second proposed improvement area it the requirement for an annual indq)endent audit of 
each ageiKy infonnatioa security program. Individually, as well as collectively, these audits can 
provide much needed information for improved oversight by the Office of Management and 
Budget (0MB) and the Congress. Our years of auditing agency security programs have shown 
that independent lesu and evaluations are essential to veri^ng the effectiveneu of computer- 
based controls. Audits can alto evaluate agency implementation of management initiatives, thus 
promoting management accountability. Moreover, t' annual independent evaluation of agency 
information security programs will help drive reform because it will spotlight both the obstacles 


10 



66 


and progttu toward improving infonnatioa lecufily, much like dte financial ttatement audita 
tequirad by the Chief Financial OfOoen Act of 1990. 

Agency flnandal cyatemi aie already aubjected to auch evaluationa aa part of their annual 
financial ataiemeiit uidita. However. I would like to note that for agencies with aignificant 
nonfinancial operadoru. auch at the dqtaitmenu of Defenae and Justice, the lequiierocnt for 
annual independent information aecuiity audita would place a aiguificant new burden on eaiating 
audit capabilitiea. Accordingly, making these audita effective will require ensuring that agency 
inapectora general have aufTicient lesouioea to either perform or contract for the needed work. 

Third, S. 1993 takes a govemmentwide approach to information security by accommodating a 
wide range of information security needs and applying requirements to all agencies, including 
those engaged in national security. Undercurrent law, diatint^ons between national security 
syatetiM and all other govenunent ayttema have tended to frustrate efforta to establish 
govemmentwide standards and to share information security beat practices. S.1993 should help 
eliminate these distinctions and ensure the development of common approaches across 
government for the protection of similar risks, regardleu of the agencies involved. 

This is important because the information security needs of civilian agency operations and those 
of national security operations have converged in recent years. In the past, when sensitive 
information was more likely to be maintained on paper or in stand-alone computers, the main 
concern was dau confidentiality, especially as it pertained to classifled national security data. 
Now, virtually all agencies rely on interconnected computers to maintain information and carry 


11 




67 


cMopenttloiitlhAiraeueitfialtothelriDUiioot. WhiktbeconfUlentiilityiiMdtoftiMiMdau 
vary, aU aimdei must be conoened about the iategrity «od the avidUbiUty of tbdr tystemt and 
data. It is impoftant for all agencies to undentand these various types of risks and take 
appropriate steps to manage them. 


STOHNOIHENINQ SECURITY CQNTOOL STANDAltDS AND 

LBADBRSH g ALSO MBRIia AT 




While S. 1993 would update the cuneat letUladve fiamewoik for computer security, two 
inqxxtant oonsiderations not addressed in the bill-the need for better«derined security control 
standards and the need to clarify and strengthen leadership for information security actoa 
goveroRwnt~are critical to strengthening security practices and oversiiht I would like to 
(Uscuu these in more detail u diey complement the goals of S. 1993 and could sigidficantly 
enhance its provisions. 

First, there is a need for better-defined security controi standards. Currently, agencies have wide 
discretion in deciding what computer security controls to ioqrleinent and the level of rigor with 
which they enforce these controls. However, as mentioned earlier, our audit work has shown 
that agencies have generally done a potM* job of evaluating risks and implementing effective 
controls. Moreover, these audiu have shown that agencies need tirere specific guidance on the 
eontrols that are appropriate for the different types of infornuition that must be protected. 
Current OMB and National Instimte of Standards and Technology (NIST) guidance is not 


12 


4 




dcUiled enouih to eonm that afendet am making qipfopriate Judgmmu in this ama and that 
they am protecting tho lame typea of dau contiitenlly throughout the federal community. 

Mora apedfic guidance could be developed in two parti: 

• A let of data clawiflcationa that could be uied by all federal agendea to categorize the 
criticality and aeniidvity cf the data they generate and maintain. Theie claiiificationi could 
range from noocritical, publicly available information requiring a relatively low level of 
protection to highly teniitive and critical information that requirei an extremely high level of 
protection. Intermediate claiiificationi could cover a range of financial and other inqiortant 
and lensitive data that requim lignificant protection l^t not at the very higheit leveli. It 
would be important for theie data cluiificationi to be clearly defined and accompanied by 
guideline! regarding the typei of data that would fall into each claisification. 

• A let of minimum mandatory control requirement! for each clastification. Such control 
requirement! could cover iiiuei luch at (1) the itrength of lyitero liter authenb'cation 
technique! (e.g., paitwordt, aroart carda, and biometrict) for each clattification, (2) 
appropriate typei of cryptographic tooli for each claiiincation, and (3) the frequency and 
rigor of teitlng appropriate for each clattification. 

We believe that requiring the development of theie itandardt, particularly with minimum 
mandatory control requireroenti, it the moit important addition that could be made to your 
legiilaiion. More precitely defined itandardi will provide common meaiurei that can guide 



•fMidM to 4evek)pto| oeeckKl ocMiiroU and infirDv* the cootiMeiicy iiK^ 
evahttriona. 

Second, there it a need for atrong, centralized ieadenhlpforinfonnatioa aecutity acroca 
fovenment Under contnt law. reaponaibility for gukhooe and overiight of agency informadon 
aecutity it divided aniQOf a monber of agenciei. including 0MB, NIST, the Oeneral Sendcea 
Admtoiitntion (OSA), and the National Sectoity Agency. Other orgenizatloaa are alto 
becoming involved tbrou^ the ndminittration’t critical tofnatiucture protection Mtiatlva. 
tocloding the Department of Juttice and the Critical InfnttructureAaaurenoeOffioe. While 
aoroe coordioatioa it occurring, overall, thit hat retulted to a prellferttlon of organizationi with 
overlapping overtight and attlttanoe retpontlbiUtiei. Lacking it a strong voice of Imuienhip and 
a clear underttandtog of roles and retponsibiUdet. 

Havtog strong, centralized leedenhip hat been critical to addressing other govemmentwiiie 
maneggniftitit challenges. For example, vigorous suppoitirom officials at the highest levels of 
government was necessary to prompt attention and action to resolving the Year 2000 problem. 
Simllarty, fareeful centralized leaderthip was esteadal to preaatag agendea to invest in and 
accomplith basic management refotint m an dated by the Chief Rnandal Offiotia Act To 
achieve timiltr resulu in information security, the federal government must have the sufipott of 
top leaders and more clearly defined roles for those organizations that support govemmcsitwide 
initiatives. We believe serious oonsidetation should be given in your legislation to clarify the 
roles of organizations responsible for govemmentwide information security effotts, for example, 



the ndei cifOMB, NIST, and OSA and to create a national Chief Inforautlon Officer to provide 
hither vitlbUity and more effective central leaderthip oi infonnttion aecurity. 


In oonclution, we uipport S. 1993. It providei ingredieoU eaientitl to refornting agency 
infonnation eecuiity practicea and govemmentwide overright In particular, it recognizea the 
highly networked nature of the federal computing environment: it calla for a mote 
comprehenaive, titk>baaed ftamewotk toward information aecurity management; and it providea 
for annual independent audita of aecurity ptogroma. Buically, the bill providea a better 
management framework for addieaaing information aecurity iacuet and providea a mechanlim 
for independently checking how tboae iatuea are being addttaaed. Aa wo noted, thia objective 
could be further itrengthened by requiring better-defined aecurity control atandarda and 
atrengthening govemmentwide leaderthip. 

Mr. Chaimun and Memben of the Committee, thia concludea my teatimony. We look forwardio 
workiog with the Committee to advance the iatuea diacuated today aa well at to addreu our 
technical commenta, which we have provided aepamtely. I would be happy to answer any 
questions you may have. 


(511184) 




71 


StMiMIIWit of 

ROBCRTAL GROSS 
XiMpMtorOwMnil 

NAnONAL AERONAimCS AND SPACS ADMINISTRATION 

SefbnittM 

Senate CommRtea on Oovem i n en tel Anaiie 


Mr. Chairman and members of the Committee, 

I thank you fbr the opportunity to be hers today to discuss S. 1993, the Government 
Information Security Act of 1999. Mytestlmonyoeneraily win bebasedonthe 
audits, reviews and olmlnN Investigations performed by the NASA Offloe of 
Inspe^ General (016). This work provides Insight into NASA's information 
technology (IT) security program. I also head a legislative working group reviewing 
S. 1993 comprised of 016 representatives from both the Presidenfs and Executive 
Councils on Integrity and Efflciency (PaE/EQE).' The group has received input from 
24 members of these Councils. These representatives ^ and targe agree that the S. 
1993 is a very positive step in highlighting the Importance of centralized oversight 
and coordination in responding to risks and threats to IT security. I will also offer 
comments raised by this group. 

Zntroiluction 

At its most extreme, the interoperability of networks has made both our nation's and 
our agerrdes' critical Infrastructures more vulnerable to Intrusion and destruction, 
consider NASA OIG's recent press release reporting on a Joint computer crimes 
Investigation by the NASA OIG 

Computer Crimes Division (CCD); the Defense Criminal Investigative Service; the 
Federal Bureau of Investigation; the U. S. Department of the Interior, Office of 
Inspector General; and the Immigrationond Naturalization Service, Office of 
Investigations. 

On February 23,2000, Ucenna Iffih was charged In a three<count criminal 
information filed In U. S. District Court in Boston... Iffih obtained unauthorized 


'BtBcutive Order No. I280S, Integrity and Bmdency In Federal Programs, May 11, 1992, established 
the PQE and EOE. These Gounds are chaired try the Deputy Director lor Management oT the CXTIoe 
of Management and Budget (OMB) and are comprised of Federal agency Inspectors General (IGs). 
IGs meet regularly to IdmUfy, review, and discuss areas of weekniM and vulnerabilities to rr^ 
wwte, and abuse In Federal programs. 



72 


access to a dial-up Internet account On April 10-11,1999, Ifflh used that 
account to compromise a Defense Logistics Agency (DLA) computer in 
Coiumbus, OH. Using the DLA compute’, Ifflh Illegally accessed a computer 
owned by the Zebra Marketing Online Service (ZMOS) In Seattle, WA, and 
through his allegedly reckless aoUons, damaged that computer and caused a 
significant loss of revenue to ZMOS. On May 6, 1999, Ifflh Illegally accessed a 
computer located at the Goddard Space Flight Center (GSFC) In Greenbelt, 

MD, and used his access to Install a "sniffer* program to review and capture 
login names and passwords transmitted on the GSFC network. Ifflh then used 
the GSFC computer to illegally access and modify (de^) a Department of 
the Interior web server on May 31,1999. 

On August 25, 1999, a search wamant was executed at Ifflh's residence and 
the subsequent forensic examination of Ifflh's personal computer revealed 
that Ifflh had obtained unauthorized aaess to multiple computers owned and 
operated by Northeastern University (NEU), Boston, MA, and was In 
possession of personal Identifying Information on over 9,000 Individuals 
associated with NEU. 

Other recent headlines have made clear the vulnerability of our networked systems 
to malicious hackers. No one can doubt that securing Information from theft, 
manipulation, denial of service attacks, and alterabon will be an Important factor In 
shaping future Federal planning and Investment of Information resources. However, 
determining how much security Is enough is ultimately a matter of Judgment In a 
world of limited budgets and competing programmatic and Infrastructure priorities, 
each agency must determine the most critical programs and the proper security for 
the systems supporting those programs. For example, NASA's mission Includes 
Inspiring the public through human exploration of space. The Space Shuttle, NASA's 
reusable space launch vehicle, piloted and staffed by Its astronauts and principal 
Investigators, is a key component of human space exploration. The shuttle program. 
Including research projects conducted aboard the shuttle. Involves elaborate network 
connectivity between the NASA centers and private Industries, universities, and 
foreign nations. NASA also provides public web sites to inform the public about its 
role In the human exploration of space. Obviously, the level of security needed to 
protect NASA public web sites is not the same as that needed to ensure astronaut 
safety aboard the Space Shuttle. 

Further complicating network security planning is that payback from the Investment 
in Information security Is uncertain. Just recall discussions In the media as to 
whether the Y2K* effort was hype. However, headlines would have been fer 


^ February 4, 1998, the President Issued Executive Order 13073, "Year 2000 Conversion,* stating 
that, because of a de^n feature In many eleotronlc systems, some computer systems and other 
electronic devices may misinterpret the date change to the year 2000. This flaw was labeled the *Y2K 
problem* because It could cause systems to compute erroneously or simply not run. 


2 




73 


diffierent if the Government's Y2K efforts had faited. IT security falKirtss also make 
headltnes. 

Toda/s hear1r>g r^iects this Committee's recognition of the Importance of planning a 
natkrnal coordinated approach to IT security. White It Is essential that the debate 
continue over the precise Implementation of a comprehensive plan^ S. 1993 provides 
a good framework. Moreover, S. 1993 contemplates 
that agencies wUI receive appropriate funding and personnel authority. IT 
security will not happen without appropriate funding and a core capability of skilled 
personnel. Nevertheless, there are cunent existing resources for effective controls 
ranging from guidance set forth in 0MB Circular A*130’ to the General Accounting 
Office's (GAO) various best practices guides, as well as the framework set forth In 
several recently enacted laws (e.g., Qlnger-Cohen Act*). In addition, the Chief 
Information Officers (CIOs) Individually and through their ao Council have been 
studying and making recommen*datk>ns In this arena. Also, various Inspectors 
General (IGs) have been active In providing reoomnoendatlons through their reviews, 
audits and computer crlntes Investigations, One only needs to look through recent 
16 semiannual reports submitted to Congress to see the extensive activity by IGs In 
this arena. In the case of the NASA OIG, I refer you tp our home page at 
httD;//www.hQ.hasa.QQv/ofnce/Ql(i/hQ for the most recent semiannual report, as well 
as the full text of audits, reviews, and press releases of criminal Investigations In the 
IT security arena. 

Discussion of S. 1993 

The proposed Act places responsibility on, accountability of, and coordination by 
some of the same players who made the Y2K readiness effort successful: 0MB; the 
agency heads; the QOs; GAO; and the IGs. In addition, because of the Issues raised 
by Information security, the Act also assigns spedflc roles to the Departments of 
Justice and Commerce, GSA, and law enforcement entities. 


\)MB drcular A*130 cals for a plan for adequate security of each general support system arxl major 
application as part of the organItaUon Information resources management planning process. The 
security plan shall be consistent wtth giddanoe issued by me National Institute of Standards and 
Technol^ (NIST), Independent b&Aot and.conment on the security plan shall be solMed prior to 
the plan's Impfomentation. A summary of the security plans shall be Incorporated into the strategic 
Informetion resources management plan required by the Paperworic Reduction Act (44 U.S.C Chapter 
35) and Section 9(b) of the drcular. 

hhe Qlnger-Cohen Act of 1996 has established within Federal agencies the oorporate fcameworlc for 
management of Information resources, induding both government Information and Information 
technology. The estabishment of Chid InfbrmMion Officers was singularly one of the most positive 
steps taken to focus attention on the management of formation. Imporfontty, the Act called for a 
comprehensive Information technology architecture that provides the integrated framework for both 
exls^ and newly acquired hardware and software. 


3 



74 


Success of Y2K Coordinated Efforts Provides a Model for Similar Approach 
to IT Security 

It Is worthwhile to briefly look at the mobilization of the Federal government In 
addressing the Y2K problem. That effort highlights what agendes can accomplish 
when there Is sufficient priority placed on an Initiative by the President, 0MB, agency 
heads, the CIOs, GAO, IGs, as well as the Congress In the exercise of Its oversight 
authority. The Y2K readiness effort forced the government into strategic 
management of Its Information resources. 

Determined to avert potential catasbx>phlc collapse of critical Infrastructures, the 
Federal, state and local governments, as well as the private sector, attempt^ to 
identify the mission criticality of Individual systems only to find such distinctions 
blurred by network Interdependencies. End-to-end testing performed to assess Y2K 
readiness became a time<onsumlng enterprise In defining the boundaries of 
networked environments. As the new millennium approached, the Federal 
government focused Increased attention on the problem. The President appointed a 
Special Assistant, John Koskinen, Chair of the President's Council on Year 2000 
Conversion; the Congress Initiated focussed oversight on agencies' readiness; 0MB 
required department and agency heads to submit detailed reports; agency heads 
made clear the mandate to their staffs to place this effort as a high priority; and IGs 
and the GAO devoted substantial resources and efforts to help ensure that their 
agencies were going to be ready when the date changed. The focus worked; We 
entered the new millennium with minimal Y2K problems. 

As discussed below, S. 1993 also assigns responsibilities to these same players (as 
well as additional entities) and gives each a responsibility for the success of 
Information security. 

Roles Set Forth in S. 1993 

The proposed bill gives wide latitude to 0MB to take any authorized actions. 
Including involving the budget or appropriations management process to enforce 
agency accountability for information resources. 0MB will be required specifically to 
oversee and develop policies, principles, standards and guidelines for the handling of 
Federal Information and Information resources and to use Its budgetary authority to 
enforce the accountability of the agency heads for Information resources 
management and Investments. Of course, 0MB generally has these budgetary and 
policy authorities and has provided agencies considerable guidance (e.g., 0MB 
Grcular A-130). However, the explicit requirements emphasize the importance the 
Congress places on this effort. It re-emphasIzes the mandate for 0MB to hold 
agency heads accountable to implement information security and Investment 
securities. Further, the Deputy Director for Management of 0MB, to whom the 
Director may delegate the responsibilities under this proposed legislation, has a 


4 



76 


unique vantage point to ooordinats efforts across the government by virtue of MVher 
role as of the President's Management Council (PMC)^ the PaE/EOE; Chief 
Rnandal Ofneer^ and QO Councils Initiatives. Planning responsibility at the Deputy 
Director level emphasizes to agency heads the Importance placed on this initiative by 
the Congress. 

Heads of Apandes ! The agency heads occupy the 'bully pulpit' They set the 
priorttles of the Federal government by their personal Involvement It happened In 
the Y2K effort It needs to happen In the IT security effort This Involvement means 
far more than Issuing a memo or series of memos. The agency heads have to make 
dear that the current agency cultures, which permit very simple and avoidable 
vulnerabilities to occur and reoccur, are no longer accepbble. 

Agency heads also have to ensure that their agency has sufficient trained personnel, 
a key requirement of the Act Under the proposed Act, agency heads Involvement 
extends to ensuring key offldals (the CIO and senior program managers) perform 
their substantive responsibilities. 

ClOi i The Act assigns considerable responsibility to CIOs for developing and 
maintaining agency Information security programs, Induding assisting senior program 
managers In their responslbillbes. The PC^EQE working group noted that It would 
be helpful if the Act or legislative history provides greater guidance on the senior 
program manager function since that term Is not defined In the proposed Act or 
existing legislation. Some agendes might view the position as a very senior high 
level official; others, as the Individual In charge of a spedfic program (e.g.. Shuttle 
Program). 

Requirements of the bill alone, however, will not ensure the QOs' success. Most 
participants In the PCIC/EQE working group felt that agency CIOs lacked the 
leverage and control of resources necessary to successfully develop. Implement, and 
evaluate their agendes' Information security programs. Some even expressed the 
opinion that their agencies' CIOs were, at best, 'paper tigers.” The proposed bill 
contemplates, and the group supports giving teeth to the position In order to ensure 
CIO responsibilities are effectively carried out. Congress will have to maintain 
oversight of the agencies' empowerment of their QOs. 


’President's memorBixium, October 1, 1993, reprinted at 58 FR 52393, establisitod the President's 
Management Council (PMC). The PMC consists of the Chief Operating Officers of all Federal 
departments and the largert agencies. The PMC provides leadership for the most Important 
Govemment'Wkle reforms. 

’Pursuant to 31USC, Section 90, Chief Flnandal Officers are appotnted or designated for major 
Federal agencies and are responsible for agency policies, guidelines, and procedures for but^ and 
flnandal management functions. 


5 


) 



76 


At NASA, the 016 has repeatedly recommended Increased authority for the QO. The 
Agency QO has a limited staff and extremely limited txjdget (usually funds are 
provided for certain one time only NASA-wide purchases). The 10 Centers each have 
their own QOs who collaborate widi, but do not report to the NASA CIO. The Center 
aOs each report to their Center^s management who define their budgets, write their 
performance evaluations and allocate their staff positions. At some Centers, IT 
security resides in the security office; at other centers. It resides in the GO'S office. 

In the past, we have been critical of this organizational approach to security by 
consensus because It results In delayed Issuance and ImiMementation of policies and 
procedures. Compounding this organizational structure, NASA has Intentionally 
decentralized the QO responsibility for IT security, designating different centers as 
the “Centers of Excellence' for sp^flc functions; Ames Research Center (California) 
for IT security; Kennedy Space Center (iTorlda) for one component of 
Communications Security (COMSEC)' (Central Office of Records for the safeguard 
and control of COMSEC material*) with overall (X>MSEC management maintained 
within the Security Management Office at Headquarters; Goddard Space Flight 
Center (Maryland) for network Incident response; Glenn Research Center (Ohio) for 
IT security training; and Marshall Space Flight Center (Alabama) R)r firewalls. We 
question the effectiveness of decentralizing and fragmenting these functions. 
Consider for example NASA's designation of Ames as the Center of Excellence for IT 
security. Ames personnel can and do conduct research Into technology solutions for 
various IT vulnerabilities. Moreover, Ames coordinates with the Center CIOs, at a 
minimum, during weekly telecons and extensive exchange of email communications. 
These are all Important practices. However, this assignment of responsibility to 
Ames reduces NASA's ability to efflclentiy and effectively utilize the enormous 
resources for IT security concentrated in the Washington, DC, metropolitan area. FOr 
example, the following offices are all located In Washington, DC, or Its environs: 

• NASA, the QO, as wdl as the Security Office In charge of classified 
information policies and procedures. 

• NASA 016 Computer Crimes Division forensics and media analysis. 

• NASA IT Security Council • quarterly meetings occur at Headquarters 
where NASA-wide Issues Impacting the funding, staffing and (kher rr 


'OOMSEC generally encompasses secure measures and controls taken to deny unauthorized persons 
InTormatlon derived from telecommunications and ensures the authenticity of such 
teleoommunications. Communications security Indudes crypto-security, transmission security, 
emission security, and physical security of OOMSEC material; For example, COMSEC measures are 
applied to protect the command arvl control communlcationTlnks with the space shuttle. 

*COMSEC Central Office of Records (COR): the NASA COR provides centralized management and 
control of all OOMSEC material held by NASA COMSEC accounts. NASA COR responsibilities Indude: 
establishing and dosing COMSEC accounts; and establishing or approving accounting procedures for 
accounts under Its cognizance. 


6 



security issues ar« discussed (the Ames IT Security mai^ager travels from 
Ames to attend this meeting or is connected by telecon). 

• NASA's Automated Systems Incident Response Capability (NASIRC). 

• National Security Counsel 

• OA 

• NIST 

• Department of Defense Joint Task Force - Computer Network Defense 
(JTF-CND) 

• Department of Justice (DOJ) Computer Dimes and Intellectual Property 
Section (DOJ unit In charge of prosecuting network crimes). 

• National Infrasbucture Protection Center (NIPC)’ 

The NASA IT Security Manager could benefit by establishing close personal contacts 
with staff at the above listed agencies In order to stay current In their assessments of 
vulnerabilities, standards and best practices.**’ In the NASA OIG, we spend 
considerable time networking with these agencies to gain proficiency In IT security. 

The proposed legislabon requiring the DO to designate a senior agency Information 
Security Officer will not address tols decentralliatlon at NASA. The Act does not 
require this position to report to the DO, nor that this position be located In the 
DO'S office. 

From our past work, we have seen very concrete examples where the decentralized 
structure weakened NASA's IT security posture. For example, NASA descoped the 
funding and responsibility NASIRC, a widely respected network incident response 
center, by fragmenting responsibility for its oversight at two centers, Ames (the 
Center of Excellence for IT security) and Goddard (the Center of Excellence for 
response). The Goddard Contracting Officer and Contracting Officer Technical 
Representative (COTR) performed oversight. Moreover, Centers differed widely In 
reporting Intrusions to NASIRC. The absence of full reporting Impacted the ability of 
the NASIRC to "connect the dots”, to see the pattern of intrusions, and thereby, 
perhaps to discern the intent of the hackers and to prepare proper advice and 
warnings to the NASA Centers. The tollure to report Incidents also materially 
Impacted on the ability of NASA OIG Computer Crimes Division (CCD) to be able to 
discern the pattern of criminal Intent Identify those conducting malicious attacks 
against NASA's systems. Because of these issues,* my Inspections unit conducted an 
assessment and made 11 recommendations to strengthen NASIRC. Management 
concurred, and we will conduct follow-up to ensure recommendations are fully 
Implemented. 


*See page 15*17 for a discussion of the NIPCs role in IT security. 

*‘Moroover, It's been our experience that It is extremely difflcult for Government to recult and retain 
highly sUled computer professionals in the Ames area due to Its high cost of living and proxknity to 
Calfbmla's Slioon VaBey (San Jose). 





78 


Inuttera caeneral (IGi) i S. 1993 provides for responsibility of the IGs appointed 
under the IG Act of 1978 (5 U.S.C. App.) to perform annual evaluations and tests of 
the agencies'compliance with the IT security requirements of the Act Alternatively, 
an Independent auditor, as determined by the IG of the agency, can perform the 
annual evaluation requirements. 

The Pa^/EQE working group reoomnwnded that the Act apply to all IGs. As 
written, Presidentlally appointed IGs created after the original Act of 1976 (e.g., the 
IG at Department of Justice) would not be Included, nor would any EQE IGs. The 
proposed change would also ensure that the IG of the agency would be the selecting 
oftidal for the Independent evaluator In all Instances, not the head of the agency. 

The working group also commented that the outside reviewer should not be narrowly 
defined as an 'Independent external auditor' (Implying a financial orientation), but 
Instead, be any quallfled external entity. 

The PCTE/EQE working group discussed the Issue of the resources required for 
performing the annual review. To place their comments In context, I think it Is 
Instructive for the Committee to understand the OIGs' experience with the Chief 
Financial Officer (CFO) audits. The financial audit reports were annual and could be 
performed by the OIG or by an independent external auditor. In order to meet their 
requirements under the CFO Act, the OIGs dedicated substanbal staff and budget. 

In NASA's case, the Agency and 0MB supported staffing Increases (approximately 10 
additional auditors) during the period the OIG performed the audit. Both the Agency 
and OMB's funding support and the CFO's substantial engagement enabled NASA to 
be one of the first Federal agencies to receive an unqualified opinion. Once NASA 
received two unqualified opinions from the NASA OIG, the Agency continued to 
support the CFO audit requirements by funding the external Independent audit 
contract selected by the OIG. The OIG continued to dedicate staff to perform 
oversight of the contract. Including the assurance that the Independent audit met 
generally accepted government auditing standards. 

Similarly, the annual report envisioned by the S. 1993 vrtll require substantial 
personnel and budget commitment by each agencies' IG. In the case of the NASA 
OIG, Information technology (IT) security has been one of the highest priorities of 
my office. The OIG currently has a robust program of criminal Investigation, 
Inspection, and audit activity focusing on prxrtecting NASA's Information resources 
and aggressively pursuing felonious Intrusions resulting from hostile attacks on NASA 
Information systems. 

At the outset of my tenure, I was personally committed to building an IT audit, 
evaluation, and Investigation IT security capability because of NASA's extensive 
dependence on network systemsr In order to create the IT capabilities, I used 


8 





vacancies created in other prooram areas. The Computer Crimes Division (CCD) is 
smaH, but smart and efficient" Because I have recruited sailed staff for the 
computer crimes unit, they are usually at high grades; they are worth It 

The creation of the IT audit unit consisted of recnjldng a handful of auditors and 
evaluators with some IT ^mlllarlty and training ln*house auditors over the last four 
years. They began with very simple audits and received targeted training prior to 
each audit They are now demonstrating Increased skills, so they are able to perform 
more oompk*x audits. 

The office has made numerous recomnoendatlons to improve NASA's Incident 
response capabilities and to protect sensitive technologies and other Information 
from unauthorized access. R>r eorample, during an Inspection, we uncovered security 
weaknesses Involving data remaining on transferred and excised personal 
computers.'* 

I have described the NASA 016 resource commitment so that the Committee will 
have a context to appreciate the comments on resources of the PaB/EQE working 
group. The reviews contemplated by S. 1993 will require recruiting, training and 
retaining a skilled set of personnel to perform the functions envisioned by the Act. 
The ability to perform the audits will be an evoMng process. That also was the case 
for the CFO audits. Nevertheless, the Investment In IT capability Is well worth while 
for the oversight the IGs can provide and so should be supported by the agencies, 
0MB and the Congress through appropriate funding. 

Law Enforcement Authorities ; The Act provides that the GO shall establish 
procedures for detecting, reporting, and res{x>ndlng to security Incidents, Including 
notifying and consulting with law enforcement officials and other offices and 
authorities. It also provides for notifying and consulting with an office designated by 
the Administrator of General Services within the General Services Administration.'* 

I want to address the GO'S requirements for " responding " and for " notifying law 
enforcement officials *. The Act needs to make clear that the responsibility for 


"As part of their erfldency and economy, the CCO forms prtnershtps for tool development and share 
resourees with entities such as the Department of Defense Computer IH>renslcs Laboratory (DCFL). 
OCR's mission includes providing digital evidence processing, analysis and diagnostics for ODD 
criminal, fraud, and oounterlnteiligenoe Investigations, operations and programs. We hope to continue 
forming partnerships with others In such areas as tialnlrig. 

"My omce has published an Instructional brochure on properly clearing data from hard drives, which I 
have previously provided for your Information and use. This pamphlet was widely distributed 
throughout MASA and the IG community. 

"the POE/EQE worldng group could not comment about the GSA provisions because we were unsure 
which offices set forth In S. 1993 would perfom. the functions and responsibilities. 




80 


'responding* to security Incidents does not Indudd 'investigating* the Incidents. 
Program ofndais by necessity have to perform some prellmb>ary review In order to 
determine appropriate steps to protect critical systems and maintain operation and 
further analy^s when they suspect potential crimes. However, systems 
administrators are not law enforcement Investigators. The Investigative role is 
reserved for special agents trained In evidence collection, chaln-of-custody Issues, 
and other legal Issues Impacting admissibly of evidence and court presentations. 




The Act Is silent as to what endues are meant by 'law enforcement officials'. Where 
an 016 has established a computer crimes division,** then the agency system 
administrators need to report to the 16 special agents. R Is crucial for the system 
administrators to work In dose coopetaUon with special agents who can suggest 
altemadves to preserving evidence while minimizing Impact on operations. 

Of course, 016 special agents are not the only law enforcement officials Involved in 
invesUgadcms of cyber crime. Presidendal Decision OIrecdve (POD) 63 addresses the 
protection of criUcal Infrastructures that Include physical and cyber-based systems 
essential to the minimum operations of the economy and the government As part of 
the protection of the nation's cridcal infrastructure, POD 63 establishes the Nadonal 
Infrastructure Protection Center (NIPC) to, among other dudes,"... serve as a 
nadonal critical (bold In the original) threat assessnoent, warning, vulnerability and 
law enforcement Investigation and response enUty". The NIPCs role for critical 
Infrastructure protection only reinforces the key role of Inspectors 6eneral to conduct 
Investigation of agency network crimes. 0I6s, because of their audit, inspection and 
Investigative activity, are able to make key linkages about criminal activity and the 
need for better Internal controls In their agendes. The legislative history of the 16 
Act makes this linkage one of the key reasons for creating OICs.*^ 


Not surpHsingV, more Inspectors General ere establishing computers crime units as their agertcies 
are more and more turning to e-oommerce to conduct business, solkft grants and contracts and to 
purchase suppSes. Investigators will no longer be able tore!/on the'paper tratt* to IdentW their 
suspect They must be able to retrieve evidenoe stored In a computer and know how to properly seize 
a computer used In the commission of crimes. 

‘^The IG Act spedflcatly provides that the Ofltoes of Inspector General were crested to condurt and 
supervise investigations relating to the (Agency) programs and operations...” of the Agency (Sec 2}.; 

* ...to conduct, supervise, and coordinate audits and Investigations relating to tin programs and 
operations ..'of the Agency (Sec 4 (aXI); and In carrying out the duties and lesponslbMes 
established under this Act, each Inspebor General shall report expedWously to the Attorney General 
whenever the Inspector General has reasonable grounds to beVeve there hK been a violation of 
Federal criminal law” (Sec 4 (d). 


a 


10 



[The OIG] provides a single focal point in each major agency for the effort to 
deal vrith fraud, abuse and waste in federal expenditures and programs. 
Withoutthat focal point, the linkage between auditing and Investigating is 
likely to be ineffective. ... Additionally this type of coordination and leadership 
strengthens cooperation between the agency and the Department of Justice in 
Investigating and prosecuting fraud cases. The Department testified 
emphatically that tiiose agencies which have been effective co-partners with 
the department have been those with viable offices of Inspector General. 

Senate report no. 95-1071, pp.2681-2682. 

The Department of Justice has made clear that it does not contemplate that only the 
FBI has the authority to Investigate or track computer offenses. Scott Charney, 
former Chief, Computer Crime and Intellectual Property Section, Department of 
Justice, wrote a letter dated February 1, 1997, to then Chair-Nominee of the 
President's Commission on Critical Infrastructure Prelection. Mr. Charney stated: 

... Second, I must correct the Impression that at the federal level, only the FBI 
and the Department of Justice have the authority to Investigate or track such 
attacks (computer offenses). Since 1984, when Congress pv'ssed the first 
computer crime statute, the U.S, Seaet Service has had explicit jurisdiction 
over some kinds of computer crimes, along with the Federal Bui\*.au of 
Investigation, which has general Jurisdiction In this area. See 18 U.S.C., Sec 
1030(d). In addition, many Federal agendes have criminal Investigiitors with 
the training and the mission to Investigate computer crimes directed t^galr-st 
their own agencies. Some of these organizations, like the U.S. Air Force Office 
of Special Investigations, and the NASA Inspector General, have been leaders 
In this field. 

As stated previously, IG special agents work closely with the Attorney General. The 
Department of Justice attorneys will function as the "honest broker", providing the 
proper coordination where IGs need to be working closely with the NIPC. The NIPCs 
focus Is critical Infrastructure. But there are thousands and thousands of dally 
Intrusions. The NIPC does not Investigate all of the thousands of agency Intrusions 
because they are not all against the critical Infrastructure. OIG special agents are the 
chief investigators for their victim agencies. The Act or report language should 
emphasize the Important role of IGs In protecting their victim agencies. 






82 


CONCLUSION 

In summary, the Act importantly recognizes that IT security Is orte of the tTX)st 
important Issues in shaping future Federal planning and Investment By highlighting 
OMB's role, the Act recognizes that IT planning does not stop at the doors^ of any 
agency. By focusing on the roles of the agency heads and QOs, the Act makes it 
dear that each agency must be far more vigilant and Involved than cunent practices. 

The IG community has already been involved In IT security oversight and criminal 
Investigation of nehvork intrusions. S.1993 provides an even greater role. This task 
will require IG commitment of staff and other resources. The agendes, 0MB and 
Congress need to provide the leade^lp and budgetary support for all the key 
players the Act enlists to defend the nation's netv^ syst^. 


12 




83 


Before the Senate Governmental Affairs Committee 
"Protecting Federal Systems from Cyber Attack** 

Mar. 2,2000 

Testimony of Kenneth Watson 
CisM Systems Inc. 

Manager, Critical Infrastructure Protection 

Chainnan Thompson. Ranking Member Lieberman, distinguished members of the 
Senate, 1 appreciate the opportunity to speak with you today about network security best 
practices. 

Cisco Systems is serious about network security, and about its implications for the critical 
infrastructures on which this and other developed nations dqrend. Cisco predicted that the 
Internet would change the way we work, live, play and leam. Just four years ago this was 
considered a bold statement, but today few would argue that the Internet is changing every aspect 
of our lives. The Internet economy Is creating a level playing Held for companies, countries and 
individuals around the world. In the 21" century, the big will no longer outperform the small - 
rather, the fost will beat the slow. 

The Internet was originally built to share information among scientists and other 
researchers in a trusted academic envitonmenL No one considered the need for information 
security or that its commercialization would proceed as rapidly ns it has. Over the last 10 or IS 
years, we have gradually become dependent on networks, not only for conducting electronic 
business, but also for delivery of vital goods and services, like electricity, corrununlcations, 
water, oil and gas, as well as controlling transportation aitd financial transactions. Network 
security solutions are equally tqrplicable to both the private sector and government networks. 
While network protocols, vulnerabilities, countermeasures, and best practices are common, 
regardless of busittess sector, function, or mission, no two companies or federal departments will 
have the same requirements or optimum solutions at any given time. And those requirements 
and solutions will change over time. 

So how do you decide on a "best practices" solution? Many companies have their own 
solutions, and in fact, (he Federal Chief Information Officers Council is conducting a study to 
investigate b^ practices for federal departments and agencies. I would like to offer a simple 
way to mganize network security technologies and practices, and talk a little about what Cisco 
has seen in customer rietworks. 

There are many ways to organize security technologies and acUvities-lt's important to 
choose one and then carry it out. Here is ours*<it'8 called the "Security Wheel." 




84 


nsaeuKi 



4)TltT 


Figure I. The Security Wheel 

Good security must be based oo policy. One of our teams was out installing an intrtision 
detectio.i system, and the company CEO wanted a list of the top ten web sites visited by his 
employees. He was also in the process of buying a second T-l line because of his company's 
increasing demand for bandwidth. We showed him that the top seven or so weren't related to his 
compan/s business-in fact, they were to sports scores, pora sites, etc. He was lUrious, and 
wanted names. "Heads will rollt” We advised Mm that the list represented a majority of his 
company, and he would do better to establish a simple web use policy. He sent a memo to ell 
employees, showing the "top ten" list, and stating t^t browsing the web with company 
computers for nombusiness-related use would be restricted to before and after business hours 
and during lunch. This told his employees two things: he could see what they were doing, and he 
cared. Almost instantly, his nee^ for a second T-1 vanished. 

After setting appropriate policies, a company or organization must methodically consider 
security as part of normal networic operations. This could be as simple as configuring routers to 
not accept unauthorized addresses or services, or as complex as instiling firewalls, intrusion 
detection systems, centralized authentication servers, and encrypted virtual private networks. 

A basic tenet of military combat engirteers is that an unobserved obstacle will eventually 
be breached. The same is true in networks. Hackers will eventually figure out a way through or 
around static defenses. The num^r and frequency of computer attacks-iseonstantly on the rise • 
• there are no "vacation periods." As such, a criticid part of the security udteel is to monitor one's 
netvrork infrastructure and then respond to attempted (or successful) attacks. 

The next stop on the wheel is testing a network. Organizations should scan their own 
networks regulatiy, updating electronic network maps, determining what hosts and services are 
rutming, and cataloging vulnerabilities. They should also bring in experts to conduct 
indepen^t network security posture audits once or twice a year to provide a more thorough 
assessment of vulnerabilities to get independent, outside reconunendations regarding 
countmneasures, security patches, ami other improvements. 

Finally, there must be a feedback loop in every "best practice." System administrators 
must be empowered to make improvements. Senior nuuiageroent must be held accoun table for 
network security, and those involved in the day>to-day operations must have their attention. 

Only by collecting and maitaging appropriate network security data, through audit logs, intrusion 





86 


detection and re^wnte lystemi, and netwoik scant, can management make intelligent decisions 
and improve dw network's security. 

If you were to ask me what the most important step is, I vrould give you two answers; one 
for the short term, and otte for the long term. In the short tenn, the best thing any company or 
goverrunent entity can do is to conduct a security posture assessment along with a risk 
assessment, to eMablish a baseijne security state. Without measuring where you are, you cant 
possibly figure out where to go or how to get there. 

Last week's Issue of Irtformation Week includes a report firom our security consulting 
team on vulnerabilities we have seen while conducting security posture assessments in customer 
networks. We grouped vulnerabilities into three categories; denial of service, reconnaissance, 
and access. Denial of service vulnerabilities allow an outsider to block normal network traffic to 
a server. Reconnaissance vulnerabilities permit an attacker to gather information that may prove 
useful to a future attack. Access vulnerabilities allow attackers to alter or manipulate data in a 
network. I've attached some suggestions to this testimony for identifying and remedying the 
most common vulnerabilities, which apply to any network, public or private. 

For the lon^rm, the best thing we can do together is to close the alarming skills gap. 

The requirement for^ghly skilled security specialists is increasing faster than all the training 
programs combined can p^uce qualified candidates. Universities are having difficulty 
attracting both professors and students. The goverrunent is also having a hard time retaining 
skilled security specialists. We in the private sector are building and maintaining state-of-the-art 
security training programs, and vro're collaborating with education institutions and training 
partners to provide a wide base for delivery. We're also helping the Office of Personnel 
Management to identify kmwledge, skills, and abilities, dngoing training requirements, and 
career management and mentoring ideas for a Federal IT security workforce. This human 
resources issue is by far the most critical information security problem we face, and the solution 
must be based on goverrunent, industry, and academic collaboration. 

This commit^ recently proposed new legislation to strengthen federal network security, 
S. 1993. Two provisions of this bill closely parallel what we in industry have been saying for 
some time; security must be promoted as an integral component of each agency's business 
operations, and information technology security training is essential to the success of any 
netrvork security improvement program. Each department and agency should execute its own 
programs based on tailored mission and risk analyses. 

Corporate network perimeters are blurring. That's also true for the Imes between 
government and industry. The Internet knows no boundaries, and we're all in this together. We 
are very enthusiastic about the new Partnership for Critical Infrastructure Security, a voluntary 
organization of some 120 companies from across the country dedicated to improving the network 
security of our critical infrastructures. Already we have seen early fruits of tUs effort; 210 key 
executives attended a planning retreat here to begin to address interdependency vulnerabilities, 
information sharing, awareness and outreach, legislative end regulatory issues, research and 
development and workforce developmoit As we further build the relationship between the 
public and private sectors, we hope the great spirit of cooperation, led by the Department of 
Commerce and the Critical Infrastructure Assurance Office, will continue. 


We will continue to work together to raise the bar of security overall, worldwide, so that 
we can empower our citizens and customers to take full advantage of the Internet economy in the 
Internet century. 

I would be glad to take any questions. 



86 


Top Interact (Eiteni«]|^ nnd Intranet (InteranI) VuIncrabiUttec and Recomnieadod Fixes 

Thii table ootlinef the vuloenbilitie* most often encountered by the Cisco Secure CoQtulting 
Services teeoas over the Inst six inonftis. the vnlnenlMlities and their lecomnMaded fixes are 
applicable to aigr pidilic or private Internet Protocol network. 










































2. Intranet 

A. l!>ciii«lo^&cnitc« 

Outdated, unnece$sai>' netwofk services (such 
as echo, chatgm, sysUt, netstat) 

Disable services as they are not typically 
required. 

FTPpasv 

Dpdatei^ server software to current release, 
apply security patches, enhance monitoring. 

demote bufTcr overflow in the bootp network 
service 

Disable bootp if riot required, apply vendor 
security patches, enhan^ monitoring 

Remote buffer overflow in network 

service. 

Update lOT server software to current release, 
iqiply security patches, enhance monitoring 

1 Bs Reconnaiissace | 

RPC Portraapper provides RPC sub-service 
infonnation 

Update RPC poitmapper software, apply 
security patches, enhance monitoring 

i^tnger provides username information 

Disable the finger network service, apply 
vendor security patches, enhance monitoring 

SMtl^ network services verify and expand 

Update SMTP server software to current 
release, apply security patches, enhance 
monitori^. 

Statd network service 

I>i8able the service, apply venUbr security 
patches, enhance mo^torlng 

pu(>tic community string 

Quinge SNMl^ community names to 
something non*intuitive, disable access the 
SNMP from the Internet 

1 C. Access 1 

Weak user authentication (default accountSi 
common accounts, joe accounts, null 
passwords) 

Routine auditing of user selected passwords, 
password strength policy 

SMTP mail relay 

update SMTP servw sofrware to current 
release, apply security patches, enhance 
monitoring 

SMTP Pipe From 

Opdate SMTP server software to cuircnt 
release, apply security patches, enhance 
monitoring 

flMTP Pipe To 

Update SMTP server software to current 
release,-apply security patches, enhance 
monitoring 

SNMP Private community string 

Change SNMP community names to 
something non-intuitive, disable access the 
SNMP from the Internet 




88 


TESTIMONY OF JAMES ADAMS 
CHIEF EXECUTIVE OFFICER 
INFRAStRUCTURB DEFENSE, INC. 


COMMITTEE ON GOVERNMENTAL AFFAIRS 
UNITED STATES SENATE 

MARCH 2, 2000 


IntroducUon 

Chairman Thompson; Ranking Member Lelberman, members of the Committee; good morning 
and thank you for Including me on this distinguished panel. My name Is James Adams and I am 
the CEO of Infrastructure Defense Inc. (lOEFENSE). 

By way of brief background; IDEFENSE provides Intelllgence^rlven products - dally reports, 
oonsulUng and certification - that allow clients to mitigate or avoid computer network, Internet 
and Information asset attacts.befbre they occur. As an example, IDEFENSE began warning its 
dients about the possibility of Distributed Denial of Service attacks ^ the kinds of hacker activity 
that is currently capturing headlines aaoss the globe • back In October and November of last 
year. 

At the outset, I want to commend Senators Thompson and Uebemtan, and their respective staff, 
hr cralting such thoughtful and badly needed legislation In the area of computer security for the 
federal government We are currentiy In the midst of a revolution, the Infonnation Revolution; 
which calls for dramatic and bold steps in the ares of securing cyberspace. The old ways of doing 
business dont work any more. 

It Is In this context that the Thompson-Ueberman blil takes a crucial step forward. By shaking up 
the current culture of tetiiargy and Inertia gripping the federal government with a proposal bo put 
teeth Into the OMB's oversight of computer security Issues this bill is a solid step In the right 
direction. 

Why does this matter? 

Few revolutiorts are accomplished without bloodshed. Already, as we plunge headlong and ^ 
terribly lihprepared Into the Knowledge Age, m are beginning bo receive the Initial casualty 
reports ffom the front Hnes of the technology revolution and bo witness first-hand the 
cyberthreats that, If allowed to fully mature, could cause horrendous damage to society. 



89 


The ongoing campaign of Denial of Service attacks Indude some of the household names of e* 
commerce — Microsoft^ Yahoo, eBay, Amazon.com, CNN, ZDNet, and E*Trade. Comparative 
newcomer Buy.com was attacked on the day of Its Initial Public Offering, and other smaller firms 
such as Datek Online Holdings Corp. experienced problems, which are probably related to the 
attacks. Targeted sites receive hits on their servers of up to one Gigabit of data per second, 
and are unavailable to the general public for anywhere from 30 minutes to several hours. 

From the headlines, you would think that these attacks suggested the end of the cyberworld as 
we know It. Nothing could be further from the truth. These were mere pinpricks on the body of 
e-commerce. Consider Instead that some 30 counbles have aggressive offensive Information 

^ Warfere programs and all of them have America firmly In their sights. Consider, to, that if you 

buy a piece of hardware or software from several countries, among them some of our allies, 
there Is real concern that you wilt be buying doctored equipment that will siphon copies of ail 
material that passes across that hardware or software b^ to the country of manufacture. 

• The hacker today Isnt Just the stereotypical computer geek with a grudge against the world 

because Ire can't get a date. And not every hack that Is successfully pulled off Is as sophomoric 
as, say, a recent Incident when the self-styled Masters of Downloading hacked Into the official 
U.S. Senate Web site and replaced its front page with a message proclaiming "Screw You Guys.” 

The hacker today Is much more likely to be In the employ of a government, of big business or 
organized crime. Arxl the hackers of tomorrow will be all of that and the disenfranchised of the 
21“ century who will resort to the virtual space to commit acts of terrorism far more effective 
than anything weVe seen from the Armallte or the Semtex bomb In the 20*'' century. 

Consider the band of Russian hackers who, over the past two years, have siphoned off an 
enormous amount of research and development secrets from U.S. corporate and government 
entitles In an operation codenamed Moonlight Maze by American Intelligence. The value of this 
stolen Information Is in the tens of millions—perhaps hundreds of millions—of dollars; there's 
reaOy no way to tell. The information was shipped over the Internet to Moscow for sale to the 
highest bidder. 

Fortunately, this threat was detected by a U.S. govemme'nt agency. Unfortunately, that 
infonnatlon was not passed on to the private Institutions that it might have helped. Among 
government and Industry alike, an understanding of the critical Infrastructure's threat 
en\dronment Is barely In its infancy. 

All of these attacks, mistakes, and plain acts of God need to be studied very carefully. Because 
they define the threat front that Is driving r^ht through our very fragile economic, governmental, 
and corporate amnor. 

These are the kind of problems we—Jointly, the public and private sectors—face in the 
technology revolub'on. So the big quesUon Is, who Is going to solve these problems? iTte 
government? Private Industry? Or the two working together? Or are the problems going to be 
solved at all? 

^ How has government resportded so far? Well, there has been the usual President's Commisston, 

and then the Principal's Working Group, then the bureauaatk: compromise that nobody really 
wanted and then the National Plan which arrived seven months late and wasn't a plan at all but 
an Invitation to have more discussions. Meanwhile, the government in all its stateliness continues 

4 to move forward as If the Revolution Is not happening. Seven months ago, my company won a 

major oonbact with a government agency to deliver urgently needed IntelllgeiKe. The money — 
was allocated, the paperwork done. Yet it remains mired In the bureaucratic heB from which 



90 


apparently It cannot be extricated. Meanwhile that same government agency Is under cybw 
attack each and every day. This Is not a revolution. This Is business as usual. 

Another government agency Is trying to revolutionize Its procurement processes to up with 
the pace of the revolution. They are proudly talking about reducing procurement times down to 
under two years. In other vrords, by the time new equipment Is In place, the revolution has 
already moved on eight Internet years. In my company. If I canT have a revolutionary new 
system In place within 90 days, I don't want It 

What this means to me is that the threat Is growing rapidly, that a largely Inert government has 
so tar been unable to meet the challenge and that more must be done. ^Kl this does matter 
because there is more at stake here than simply whether a new computer works or does not, 
whether a web site b hacked or not. At stake b the relationship between the governed and their 
government In a democracy. High stakes Indeed. 

So, I welconrte the Thompson-Leiberman legbtation as a good first step In the Senate efforts to 
try and control and drive the process that will bring the government up to speed with the 
revolution. I believe, hovrever, that to effectively cope with the technology revolution, thb 
proposal must be strengthened a great deal. 

To fix the problems that afflict our body politic and our body corporate will require far more than 
Band-Aids. We're not talking casts and saints or even organ transplants. What we're talking 
about b leaving the old body and moving Into a new one. We are talking—l am talklng-about 
beginning to make changes In our cultural, polittcal, arKTeconomlc processes and Institutions of 
such magnitude that they will dwarf even those that accompanied the Industrial revolution. 

What Is needed b an outside entity - with real power - to Implement drastic change In the way 
government approaches technology and the underlying security of Its systems. Currently, 
Jurisdictional wrangling, procurement problems and a slew of other bsues are seriously 
hampering governments ability to stay current with the rapid pace of the Information Revolution. 
The Thompsoti-Ueberman bill provides a ffamevraric to begin sorting through thb mess. 

However, what b needed most Is a person or an entity that will draw on skill sets In many areas 
win overlap that of the GO, CFO, CSO, and most of the other offioers or entities. Let's give thb 
new person the title of Chief of Business Assurance. Or perhaps the Office of Business Assurance 
to relate it dbectty to the federal government 

Thb new acronym should be the response to the cunent need. In some ways It Is mirrored by 
the debate that started at the beginning of the Information Revolution that led to the 
appointment of Chief Information Officm In many companies and within government But 
Business Assurance b more than security, more than technology, and more than a combination 
of the tvro. It b an understanding of the whole en^ronment and what that means for a business 
or a public sector operation. 

Iffe OBA's task would be to continuously gather and synthesize infrastructure-related trends and 
events, to Intelligently evaluate the technological context within which the organization operates, 
to Identify and assess potential threats, and then to suggest defense action. Or, viewed from the 
positive side, to assess the technological revolution's opportunities and iKopose effective 
offerrsive strategies. 

The Office of Business Assurance must be a totally Independent organisation, witii real teeth and 
power within government Those organizations that hare the foresight to create and properly 



91 


staff this position will be Invneasurably better equipped to handle the tidal wave of change that Is 
just now beginning to break over our government. Industry, economy, and culture. 

There Is much In common between government and Industry when It oomes bo the challenges— 
and the opportunItlesHhat the technology revolution poses. Both sectors face a common threat 
that ranges ffom vandal hackers and hardoore criminals bo foreign agents and natural disasters. 
Both sectors share common goals for the well being of America and her people. Both emph^ 
technologies that are In esserKe Identical. And both must work together to protect each other. 

My company, Infrastructure Defense, pioneers an approach to Inhastructune protection that is 
aimed chiefly at the private sector. Many of the principles, hovrever—value-chain analysis, fbr 
example, and threat analysis—are directly transferable to government organizatlotrs. The two 
sectors are not that far apart 

With common problems and common goals, there are opportunities fbr common solutions. One 
of the most Important, I believe—one that Is too new to have been embraced by either the 
private or public sectorMs the need for every organization to Incorporate a risk-mitigabon 
process. A second priority Is to build a comprehensive Information sharing system across all 
sectors on cybeithreabs and countermeasures. We cannot afford to allow Important Infonnation 
to grow stagnant within particular public or private enbbes. The ia{M p^ of technological 
change necessitates a correspondingly robust response mechanism, I urge this Committee to 
champion this important Issue as the federal response to the growing cyberthreat is constructed. 

Conclusion 

I leave you with this thought You will see total transformations of the way business and 
government is conducted. Internally and externally. A failure to change to meet these new 
challenges Is to risk the destruction that all revolubons bring In their wake. Proactive action b the 
route to survival. 

We have heard a great deal in recent months about the potenbal of a digital divide that te 
developing between the computer haves and the computer have nets. I believe there b anobier 
digital divide that Is growing between the American government and Its dbzens. If this 
Committee's efforts do not move fonvard In changing the culture of Inertia, there is real danger 
that the "digital dMde* that exbts between the government and the private sector will only 
widen. We cannot afford a situation where the governed feel that thdr government b out of 
touch and Increasingly Irrelevant to their lives. By stepping up to the plate and tackling computer 
security with an Innovative, bold approach the Thompson-U^rman bBI sIgnificanUy boosts the 
chances of reversing the current bureaucrabc approach to a dynamic problem. 

Again, thank you for the honor of appearing before the Committee today. 



r 


92 


u 


106th COXORESS 
18T SBSSIOK 


S. 1993 


To refbrm Oovemment information aoeurity by itrengthening information 
aoeurity praeticea throughout the Federal Om’emraent, - 


m THE SENATE OP THE UNITED STATES 
November 19,1999 

Ur. Thompson (for himself and Mr. Liebbrman) introduced the following 
bill; which waa read twice and referred to the Committee on Oovem* 
mental AfCalrt 


A BILL 

To reform Qovenunent information security liy strengthening 
information security practices throughout the Federal 
Government. 

1 Be it enacted by ihe Senate and Home of Representor 

2 tives qf ihe United States ef America in Congress assembled, 

3 SECTION 1.SHOBTTITLB. 

4 Tli.s Act may be cited as the “Government Informa- 

5 tion Security Act of 1999“. 

6 SEC. a. COORDINATION OF FEDERAL INFORMATION POL- 

7 ICY. 

8 Obiter 35 of title 44, United States Code, is amend- 

9 ed by in verting at the end the fbllbvring: 





93 

2 

1 “StmCOHAPTBR n—INFORMATION SECURTTY 

2 "ftSSSl. PurpoMi 

3 '"TLd purposes of this subchapter aro to— 

4 “(1) provide a comprehensive firamework tor es- 

5 tabliahing and ensurincrthe effecti.veness of controls 

6 over information resources that support Federal op- 

7 erations and assets; 

8 *‘(2)(A) recognize the highly networked nature 

9 of the Federal computing environment including the 

10 need for Federal Government interoperability and, in 

11 the implementation of improved security manage- 

12 ment measures, assure that opimrtunities for inter- 

13 operability are not adversely affected; and 

14 '^(B) provide effective govemmentwide manage- 

15 ment and oversight of the related information secu- 

16 rity risks, including coordination of information se- 

17 curity efforts throughout the civilian, national secu- 

18 rity, and law enforcement communities; 

19 “(3) provide for development and maintenance 

20 of minimum controls required to protect Federal in- 

21 formation and information systems; and 

22 “(4) provide a mechanism for improved over- 

23 sight of Federal agenqy information security pro- 

24 grains. 


•SIMS IS 


63-639 00-4 

i' 



3 

1 ‘*83632. Definitloia 

2 '*(a) Except as provided under subsection (b;, the 

3 definitions under 8e(!tioeL3502 shall apply to this sub- 

4 chapter. 

5 *‘(b) ia used in this subchapter the term 'information 

6 technology’ has the meaning given that term in section 

7 5002 of the Clinger*Cohen Act of 1996 (40 U.S.C. 1401). 

8 “SSfiSS* Authority and ftmctions of the Director 

9 "(a)(1) Consistent with subchapter I, the Director 

10 shall establish govemmentwide policies for the manage- 

11 ment of programs that support the cost-effective security 

12 of Federal information systems by promoting security as 

13 an integral coiqwnent of each agent’s business oper* 

14 ations. 

15 "(2) Policies under this subsection shall— 

16 "(A) be founded on a continuing risk manage- 

17 ment cycle that recognizes the need to— 

18 "(i) identity, assess, and understand risk; 

19 and 

20 "(ii) determine security needs commensu- 

21 rate with the level of risk; 

22 “(B) implement controls that adequately ad- 

23 dress the risk; 

24 “(C) promote oontinuipg awareness of informa- 

25 tion security risk; 



1 “(D) monitor and evaluate polkT; 

2 and 

3 “(B) control effeetiveneaa of inforaiaUon seen* 

4 rity praetieea. 

5 “(b) The aathority under eubaecUon (a) includea the 

6 authority to— 

7 “(1) oversee and develop policies, principles, 

8 standards, and guidelines for the handling of Fed* 

9 eral information and information resources to im> 

10 prove the efficiency and effeotiveneas of govern* 

11 mental operations, including principles, policies, and 

12 guidelines for the implementation of agency respon* 

13 uibilities under applicable law for ensuring the pri* 

14 vacy, confidentiality, and security of Federal infor- 

15 mation; 

16 “(2) consistent with the standards and guide* 

17 lines promulgated under section 5131 of the Clinger* 

18 Cohen Act of 1996 (40 U.S.C. 1441) and sections 

19 5 and 6 of the Computer Security Act of 1987 (40 

20 U.S.C. 759 note; PubUc Law 100-235; 101 Stat. 

21 1729), require Federal agencies to identify and af* 

22 ford security protections commensurate with the risk 

23 and magnitude of the harm resulting finm the loss, 

24 misuse, or unauthorised access to or modification of 



96 


5 

1 inlbnaation eoUeoted or maintained by or on behalf 

2 of an agency; 

3 **(3) direct the heads of agencies to coordinate 

4 such agencies and coordinate with industry to— 

5 “(A) identify, use, and share best security 

6 practices; and 

7 '*(B) develop voluntary consensus'based 

8 standards for security controls, in a maimer 

9 ' consistent with section 2(b)(13) of the National 

10 Institute of Standards and Technology Act (15 

11 U.S.C. 272(b)(13)); 

12 **(4) oversee the development and implementa* 

13 tion of standards and guidelines relating to security 

14 controls for Federal computer systems by the Sec* 

15 retaiy of Commerce through the National Institute 

16 of Standards and Technology under section 5131 of 

17 the Clinger-Cohen yict of 1996 (40 U.S.C. 1441) 

18 and section 20 of the National Institute of Stand* 

19 ards and Technology Act (15 U.S.C. 278g-3); 

20 "(5) oversee and cooMinate compliance with 

21 this section in a manner consistent with— 

22 “(A) sections 552 and 552a of title 5; 

23 “(B) sections 20 and 21 of the National 

24 Institute of Standards and Technology Act (15 

25 U.S.C. 278g-3 and 278g-4); 


•8 1»M 18 


97 


4 


> 




« 


1 

2 

3 

4 

5 

6 

7 

8 
9 

10 

11 

12 

13 

14 

15 

16 

17 

18 

19 

20 
21 
22 

23 

24 

25 


6 

‘'(C) Motion 6181 of tlie Clinger'Cohen 
Act of 1996 (40U.8.C. 1441); 

"(D) Motiona 5 and 6 of Uie Computer 8e- 
onrity Aet of 1987 (40 U.8.C. 759 note; Public 
Law 100-235; 101 8Ut 1729); and 

"(E) related information management 
lawa; and 

"(6) take any authoriied ai^n that the Direo* 
tor oonaidera appropriate, including any action in¬ 
volving the budgetary proceea or appropriations 
management process, to enforce accountability of the 
head of an ageiuy for information resources man¬ 
agement and for the investments made by the agen¬ 
cy in information technology, including— 

"(A) recommending a reduction or an b- 
orease in ary amount for informntion resources 
that the head of the agency proposes for the 
budget submitted to Congress under section 
1105(a) of title 31; 

“(B) reducing or otherwise a4justing ap¬ 
portionments and reapportionments of appro¬ 
priations for information resources; and 

"(C) using other authorized administrative 
controls over appropriations to restrict the 
availability of ftinds for information resources. 


•• IM IS 



98 


7 

1 "(o) The authority under this seotion may be dele- 

2 gated only to the Deputy Director for Management of the 

3 OfBoe of Management and Budget. 

4 *'S8584« Federal agency reeponsIbiUtlea 

5 "(a) The head of each agenqy shall— 

6 "(1) be responsiblo for— 

7 “(A) adequately protecting the integrity, 

8 confidentiality, and availability of information 

9 and information systems supporting agency op- 

10 erationa and assets; and 

11 “(B) developing and implementing infor- 

12 mation security policies, procedures, and control 

13 techniques sufficient to afford security protec- 

14 tions commensurate with the risk and mag- 

15 nitude of the harm resulting finom unauthorised 

16 disclosure, disruption, modification, or destruc- 

17 tion of information collected or maintained by 

18 or for the agency; 

19 “(2) ensure that each senior program manager 

20 is responsible for— 

21 “(A) assessing the information security 

22 risk associated with the operations and assets 

23 of such manager. 


•6 IMS IS 



99 


1 

2 

3 

4 

5 

6 

7 

8 
9 

10 

11 

12 

13 

14 

15 

16 

17 

18 

19 

20 
21 
22 

23 

24 


8 

“(B) determining the levels of information 
security appropriate to protect the operations 
and assets of such manager; and 

“(G) periodically .testing and evaluating in* 
formation security controls and techniques; 

“(3) delegate to the agency Chief Information 
Officer established under section 3506, or a com* 
parable official in an agency not covered by such 
section, the authority to administer all fimctions 
under this subchapter including— 

“(A) designating a senior agency informs* 
tion security officer; 

“(B) developing and maintaining an agen* 
cywide information security program as re* 
quired under subsection (b); 

“(C) ensuring that the agency effectively 
implements and maintains information security 
policies, procedures, and control techniques; 

“(D) training and overseeing personnel 
with significant responsibilities for information 
security with respect to such responsibilities; 
and 

“(E) assisting senior program managers 
concerning responsibilities under paragraph (2); 


•S IMS 


IS 




100 


9 

1 *‘(4) enfiure that the agency has trained per- 

2 Bonnel aufificient to aaeiat the agency in complying 

3 with the requirements of this subchapter and related 

4 policies, procedures, standards, and guidelines; and 

5 ‘*(5) ensure that the agency Chief Information 

6 Officer, in coordination with senior program man- 

7 agers, periodically— 

8 "(A)(i) evaluates the effectiveness of the 

9 agency information security program, including 

10 testing control techniques; and 

11 “(ii) implements appropriate remedial ac- 

12 tions based on that evaluation; and 

13 "(B) reports to the agency head on— 

14 "(i) the results of such testa and eval- 

15 nations; and 

16 "(ii) the progress of remedial actions. 

17 "(b)(1) Bach agency shall develop and implement an 

18 agencywide information security program to provide inform 

19 mation security for the operations and assets of the agen- 

20 cy, including information security provided or managed by 

21 another agency. 

22 "(2) Each program under this subsection shall 


23 include— 




101 


« 






* 


1 

2 

3 

4 

5 

6 

7 

8 

9 

10 
11 
12 

13 

14 

15 

16 

17 

18 

19 

20 
21 
22 
23 


10 

"(iO periodio aasenmenta of information secu- 
rity riaks that consider internal and external threats 
to— 

"(i) the integrity, eonfidentiality, and 
availability of qnrtema; and 

"(ii) data supporting oritioal operations 

and assets; 

"(B) poUoies and procedures that— 

"(i) are basecTdn the risk assessments re* 
quired under paragrapl) (1) that cost-effectively 
reduce information security risks to an accept* 
able level; and 

"(ii) ensure compliance with— 

"(I) the requirements of this sub* 
chapter; 

"(n) policies and procedures as may 
be prescribed by the Director; and 

"(m) any other ^^licable require* 
ments; 

"(C) security awareness training to inform per* 
sonnel of— 

"(i) information security rislm associated 
with persoimel activities; and 


•sisssn 



102 


11 

1 "(ii) responiibilitiea of personnel in com- 

2 pitting with agency policies and prooedures de- 

3 signed to reduce such risks; 

4 "(D)(i) periodic management testing and eval- 

5 nation of the effectiveness of information security 

6 policies and prooedures; and 

7 “(ii) a process for ensuring remedial action to 

8 address any deficiencies; and 

9 ''(B) procedures for detecting, reporting, and 

10 responding to security incidents, including— 

11 "(i) mitigating risks associated with such 

12 incidents before substantial damage occurs; 

13 "(ii) notiiying and consulting vnth law en- 

14 forcement officials and other offices and au* 

15 thorities; and 

16 "(iii) noti^ring and consulting with an of* 

17 fice designated by the Administrator of (General 

18 Services within the Qeneral Services Adminis* 

19 tration. 

20 "(3) Each program tmder this subsection is subgect 
21. to the approval of the Director and is required to be re- 

22 viewed at least annual^ 1^ agency program officials in 

23 consultation with the Chief Information Officer. 


•S UM IS 



108 

I 

12 

1 "(o)(l) Bafih agm^ ihall examine the adequacy and 

2 eflhotiveneaa of infonnation aeoarity polidea, procedorea, 

3 and praetioea in plana and report! relating to--- 

4 “(A) annual agency Imdgeta; 

5 "(B) information resoorces management under 

6 the Paperwork Reduction Act of 1996 (44 U.8.C. 

7 101 note); 

8 "(C) program performance under sections 1106 

9 and 1115 through 1119 of title 31, and sections 

10 2801 through 2805 of title 39; and 

11 "(D) financial management under— 

12 "(i) chapter 9 of title 31, United States 

13 Code, and the Chief Financial Officers Act of 

14 1990 (31 U.8.C. 601 note; PubUc Law 101- 

15 576) (and the amendments made by that Act); 

16 "(ii) the Federal Financial Management 

17 Improvement Act of 1996 (31 U.S.C. 3512 

18 note) (and the amendments made by that Act); 

19 and 

20 "(iii) the internal controls conducted under 

21 section 3512 of title 31. 

22 "(2) Any deficiency in a policy, procedure, or practice 

23 identified under paragraph (1) shaU be reported as a ma* 

24 terial weakness in reporting required under the applicable 

25 provision of law under paragraph (1). 


•S IM IS 


104 


13 

1 "(3635. Annual independent evaluation 

2 *'(a)(l) Each year each agency shall have an inde- 

3 pendent evaluation performed of the information security 

4 program and practices of that a^ncy. 

5 *'(2) Each evaluation under this section shall 

6 include— 

7 "(A) an assessment of compliance with— 

8 “(i) the requirements of this subchapter; 

9 and _^ 

10 "(ii) related information security policies, 

11 procedures, standards, and guidelines; and 

12 '*(B) tests of the effectiveness of information 

13 security control techniques. 

14 “(b)(1) For agencies with Inspectors General ap- 

15 pointed under the Inspector General Act of 1978 (5 

16 U.S.C. App.), annual evaluations required under this sec- 

17 tion shall be performed by the Inspector General or by 

18 an independent external auditor, as determined by the In- 

19 spector (General of the agenqy. 

20 “(2) For any agency to which paragraph (1) does not 

21 apply, the head of the agency shall contract with an inde- 

22 pendent external auditor to perform the evaluation. 

23 “(3) An evaluation of agency information security 

24 programs and practices performed by the Comptroller 

25 General may be in lieu of the evaluation required under 

26 this section. 


•S IBM IS 



105 


14 

1 "(o) Not later than March 1, 2001, and eveiy March 

2 1 thereafter, the recolta of an evaluation required under 

3 this section shall be submitted to the Director. 

4 “(d) Each year the Comptroller (General shall— 

5 “(1) review the evaluations required under this 

6 section and other information securify evaluation re* 

7 suits; and 

8 “(2) report to Congress regarding the adequacy 

9 of agency information programs and practices. 

10 “(e) Agencies and auditors shall take appropriate ac* 

11 tions to ensure the protection of information, the discio* 

12 sure of which may adversely jsffect information security. 

13 Such protections shall be commensurate with the risk aud 

14 comply with all applicable laws.*'. 

15 SEC. 8. RESPONSIBILITIES OF CERTAIN AOKNCIE8. 

16 (a) Department op (Jomjierce.— The Secretary of 

17 Commerce, through the National Institute of Standards 

18 and Technology and with technical assistance finom the 

19 National Security Agency, shall— 

20 (1) develop, issue, review, and update standards 

21 and guidance for the security of information in Fed* 

22 eral computer systems, including development of 

23 methods and techniques for security systems and 

24 validation programs; 


•S IMS 18 



106 


15 

1 (2) develop, iseue, review, and update guidelines 

2 for training In computer security awareness and ao> 

3 cepted computer security practices, with assistance 

4 from the Office of Personnel Management; 

5 (8) provide agencies with guidance for security 

6 planning to assist in the development of applications 

7 and system security plans for such agencies; 

8 (4) provide guidance and assistance to agencies 

9 concerning cost-effective controls when inter* 

10 connectiiig with other systems; and 

11 (5) evaluate information technologies to assess 

12 security vulnerabilities and alert Federal agencies of 

13 such vulnerabilities. 

14 (b) Department op Justice.—T he Department of 

15 Justice shall review and update guidance to agencies on— 

16 (1) legal remedies regarding security incidents 

17 and ways to report to and work with law enforce* 

18 ment agencies concerning such incidents; and 

19 (2) permitted uses of security techniques and 

20 technologies. 

21 (c) General Services Administration.—T he 

22 General Services Administration shall— 

23 (1) review and update General Services Admin- 

24 istration guidance to agencies on addressing security 


•a UM u 



107 


4 


f 


r 

> 


16 

1 eoiuddentioiu when aoqairing information teoh- 

2 nologjr; and 

3 (2) aaaiat agenoiea in the aoqaiaition of ooet^f* 

4 feotive necority products, services, and incident re* 

5 iponse ei^uJiilities. 

6 (d) Office op Personnel Manaobmbxt.—T he 

7 Office of Pereonnel Management shall— 

8 (1) review and update Office of Personnel Man- 

9 agement regulations concerning computer sec^ty 

10 training for Federal civilian employees; and 

11 (2) assist the Department of Commerce in up- 

12 dating and maintaining guidelines for training in 

13 computer security awarextess and computer security 

14 best practices. 

15 SEa 4. TBCBMCAL Aim COl^RUINO AMENDMENTS. 

16 (a) In General. —Chapter 36 of title 44, United 

17 States Code, is amended— 

18 (1) in the table of sections— 

19 (A) by inserting after the chapter heading 

20 the following: 

"SUBCHAPTBR I—FEDERAL I.NPORMATION POLICT's 

21 and 

22 (B) l^y inserting after the item relating to 

23 section 3520 the following: 

•‘8UBCHAPTKR n—lNPORilATION SBCURirY 

"Sec. 

“8681. PuipoMt. 


•a UM 0 



108 


17 

“3632. DtOaiUoM. 

“3633. Anthority and AuwUoim of Um Diraetor. 

“3634. Padentl attney ratponiibiiiUaa. 

“8636. Animal indcpandcnt eva)uation."i 

1 BOd 

2 (2) by inserting before section 3501 the fol- 

3 lowing: 

4 “8UBCHAPTKR I—PBDBRAL INFORMATION' 

5 POLICY”. 

6 (b) Reperbnces to Chapter 36.~-Chapter 36 of 

7 title 44, United States Code, is amended— 

8 (1) in section 8601— 

9 (A) in the matter preceding paragraph (1), 

10 by striking “chapter” and inserting “sub- 

11 chapter”; and 

12 (B) in paragraph (11), by striking “chap- 

13 ter” and inserting “subchapter”; 

14 (2) in section 3502, in the matter preceding 

15 paragraph (1), by striking “chapter” and inserting 

16 “subchapter”; 

17 (3) in section 3503, in subsection (b), by strik- 

18 ing “ch^ter” and inserting “subchapter”; 

19 (4) in section 3504— 

20 (A) in subsection (a)(2), by striking “chap- 

21 ter” and inserting “subchapter”; 

22 (B) in subsection (d)(2), by striking 

23 “chapter” and inserting “subchapter”; and 


•a MM IS 



109 




1 


f 


1 

2 

3 

4 

5 

6 

7 

8 
9 

10 

11 

12 

13 

14 

15 

16 

17 

18 

19 

20 
21 
22 

23 

24 


18 

(G) in subsection (f)(^)i by striking "chap* 
ter” and inserting “subch^ter”; 

(5) in section 3505— 

(A) in subsection (a), in the matter pre< 
ceding paragraph (1), by striking “chapter" 
and inserting “subchapter*'; 

(B) in subsection (a)(2), by striking “chap* 
ter" and inaerting “subchapter*'; and 

(G) in subsection (a)(3)(B)(iii), by striking 
“chi^pter" and inserting “subchapter"; 

(6) in section 3506— 

(A) in subsection (a)(1)(B), by striking 
“chapter" and inserting “subchapter"; 

(B) in subsection (a)(2)(A), by striking 
“chapter" and inserting “subchapter"; 

(G) in subsection. (a)(2)(B), by striking 
“ch^ter" and inserting “subchapter"; 

(D) in subsection (a)(3)— 

(i) in the first sentence, by striking 
“chapter** and. inserting “subchapter"; and 

(ii) in the second sentence, by striking 
“chapter" and inserting “subchapter"; 

(E) in subsection (b)(4), by striking “chiq>- 
ter" and inserting “subchapter"; 


•S INS 


a 



110 


1 

2 

3 

4 

5 

6 

7 

8 
9 

10 

H 

12 

13 

14 

15 

16 

17 

18 

19 

20 
21 . 
22 

23 

24 

25 


19 

(F) in Kab«eotion (o)(l), by ftrildng “ohnp- 
ter, to" and inserting " 8 nbohi 4 )ter, to"; and 
(Q) in subsection (o)(l)(A), by striking 
"ch^ter" and inserting "subohapter**; 

(7) in section 3507— 

(A) in subsection (e)(d)(B), by striking 
"chi 4 )ter" and inserting "subchapter"; 

(B) in subsection (b)(2)(B), by striking 
"chapter" and inserting "subohapter"; 

(C) in subsection (h)(3), by striking "chi^ 
ter" and inserting "subohapter"; 

(D) in subsection (})(l)(A)(i), by striking 
"chapter" and inserting "subchi^pter”; 

(B) in subsection (})(1)(B), by striking 
"chapter" and inserting "subohapter"; and 
(F) in subsection (j)(2), by striking "chs^ 
ter" and inserting "subchi^tcr"; 

(8t in section 3509, by striking "ch^ter" and 
inserting "subchapter"; 

(9) in section 3512— 

(A) in subsection (a), by striking "o}u 4 ;)ter 
if’ and inserting "subchapter if’; and 

(B) in subsection (a)(1), striking "chap¬ 
ter" and inserting "subohapter"; 

(10) in section 3514— 


\ 




1 


i 


•e IMS 18 



Ill 


1 

2 

3 

4 

5 

6 

7 

8 
9 

10 

11 

12 

13 

14 

15 

16 

17 

18 

19 

20 
21 
22 

23 

24 

25 


20 

(A) in subsection (a)(1)(A), by stiiking 
"chapter" and inserting "subchapter"; and 

(B) in subsection (a)(2)(A)(ii), by striking 
"chapter" and inserting "subchapter" each 
place it appears; 

(11) in section 8515, by striking "chapter" and 
inserting "subchapter"; 

(12) in section 3516, by striking "chapter" and 
inserting "subchapter"; 

(13) in section 3517(b), by striking "chapter" 
and inserting "subchapter"; 

(14) in section 3518— 

(A) in subsection (a), by striking "chap¬ 
ter" and inserting "subchapter" each place it 
appears; 

(B) in subsection (b), by striking "chap¬ 
ter" and inserting "subchapter"; 

(C) in subsection (o)(l), by striking "chap¬ 
ter" and inserting "subchapter"; 

(D) in subsecUon (c)(2), by striking "chap¬ 
ter" and inserting "subchapter"; 

(B) in subsection'(d), by striking "chap¬ 
ter" and inserting "subchapter"; and 

(P) in subsection (e), by striking "chap¬ 
ter" and inserting "subchapter"; and 


•a itM IS 



112 


21 

1 (15) in section 3620, by striking "chapter*' and 

2 inserting "sabohapter**. 

3 SBC. 5. EmcnVB DAm 

4 This Act and the amendments made by this Act shall 

5 take effect 30 days after the date of enactment of this 

6 Act. 

O 


•8 IMIS 



113 


AficoMtlBa mMI IfttenMtioa 
MMMgMMat OhiatM 


B-2860a0 


March 31.2000 

The Honorable Daniel K. Akaka 
Committee on Oovemmental Afbire 
United Sutea Senate 


i 



atAtM (HmftX AetmmtkMg Olikt 
ioa4i 


SiU^joct InfomviUoii Security; Panhcuina Qucattgai Cpncmihia Uic togoactf 
OflYamutent tofonniUon SfioitityAclof IBBfl 

Dear SeruUor AkAkm: 

This letter reaponds to the March 6,2000. letter from Me. Hannah Siatare, SUfr 
Director and Couniel o( the Senate Committee on Governmental Affairs, requesting 
on your behalf that we answer several foUow^up questions related to our March 2, 
2000, testimony.' During that testimony, we discussed the proposals in S. 1983, the 
Government bxformation Security Act of 1999, which seeks to strengthen Information 
security practices throughout the federal government Your questions, along with our 
responses, follow. 

Question i Shouid we be concerned thst nsdonsl security programs mey become 
more vulnerebh as a result (of whet 5. 1993 would do)? 

Answer S. 1993 does not limit the extent to which agencies can protect their 
computer>supported operations, including diose related to national 
security. Conversely, the bill emphasizes the importance of recognizing 
that highly critical and sensitive data and operations merit a higher level 
of security than those that are less critical and sensitive. S. 1993 would 
place responalbUity for determiiUng what levels of protection are 
appropri^ for the various types of data and operations in the hands of 
agency program managers. As a result, managers of classified 
programs would be resporudble for determining how to protect their 
classified daia in accordance with their agencies* policies. Tn essence, 

S. 1993 provides a generic framework for Improving 


Wonnatfcv) SfcoriOc Oofnaittils os die imposed Gomnmmtin/bnnilionS^cuHtrA^ 
(QACVT AIIIDCO107, March 2, 2000). 


114 


0) itCency maiuc«in«iU of Infonnatton vecurtty and (2) oveni|ht of 
agency pncUcoo. Such a framework can benefit all agency progntna— 
claHlfled and unclaaaifled—by hek>tng to enaure that controia 
ewnmenaunta with ilak are Implemented effectivety. 

Queafron J.a How can waenaun under S. JOSS that both claaaifled and unclaaaifled 
IntoanMOon ayMema will ba adequately protectedf 

Anawer S. 1903 provtdea for a riak-baaed approach to infonnation aecuiity that 
nquirea agency managera to detem^e what levela of protection are 
appropiiata and enauiea that auch protectlona are effecdvely 
ImplemenUd. Under thla approach, claaalfled ayatema would continue 
to be aubject to aecurlty requlrementa applicable under exiatlng agency 
pcdlcka, unleaa agenclea determined that auch requlrementa and relat^ 
policies needed to be modified. 

Question J.b Wont (here be a tendonqy to A>cus on daaslfied ayatems, parhapa 
Blowing down the public's access to unc/asstiled in/dnoationf 

Answer S. 1003 recognises that for aecurlty *one aixe doea not fit alL* 

Accordingly, the level of public access allowed would vary depending 
on the aeiultlvtty of the infonnation In questloa Dtscloeure of some 
unclassified information la prohibited by law, auch as aenslUve taxpayer 
Informatloa The protection of government information from 
unauthorised access is Important due to itatioiuU security and privacy 
concerns. Ensurlrtg adequate protection of the data in no way affects 
the right of dUseits to accees public information through mechanisms, 
such as the Freedom Of Irtformatlon Act, which was edabllshed to 
provide them accesa S. 1003'8 focus on risk management is designed to 
accommodate all levels of data sertsitivity. 

Question 2 Jfave we historically provided adequate guidance, oversight and hinding 
to each executive department to enable them to ^ectlvely address 
current day vulnerabllitiea—or la that the crux ot the problem? 

Answer While guidance, oversight, and funding have been provided, they have 
not kept pace with the quickly evolving computing envirorunent over 
the last decade. In addition, audits have shown that agencies have done 
a poor Job of implementing existing guidance. S. 1003 seeks to update 
and improve guidance to agencies ar^ Improve overai^t by requiring 
annual evaluations of agency security programs. 

Question 2.a la the current situation so dire that sedous consideration of a national 
Chief Information OOlcer (CIO) Is a logical step to take at tills time? 


Page 2 



115 


Aiuwcf Ym. AsIiMAtUHMdinniytetttotony, 

fMiml •cendM an hitfily v\iln«rmb(« to attack and mtauaa, and there la 
aneedtoratronfer,moteccnmllaedleadertfUpInthkiarea. Afedaral 
CIO could help coordinate agency aecuiity acttvttlea and facilitate 
aolutlona for common problema. Concurrently, a federal QO could 
benefit otho^ aepecta of information technology management, au(^ aa 
•trategic planning, managing ayatem inveotmenti, and aoftware 
development It is Important that all of tl\eae aapecte of information 
techiwlogy management, induding iitformation aecurity, be managed 
under a ooheaiva etrategy. 

j Please contact me at (202) 612-6240 ifyou have any queationa. I can also be reached 

by e-mail at brDcl(f.aimd#gao^ov. 

Sincerely youia, 

^fack U Brock, Jr. 

Director, Oovemmentwide and Defense 
Information Systems 


(611967) 


Paged 



116 


Nittont) Atfontuttoi unrt 
Qptot AuTwviBnon 

Wtohingte^^ a064ft-0001 



HM) 3 1 2000 


Ms. Haiuudi Sistaro 

Staff Director and Counsel f 

United States Senate 

Committee on Qovemmental Affairs 

Washington, DC 20510>6250 


Dear Ms. Sistare: 

Enclosed is our response to the additional questions posed by Senator 
Akaka from the Muoh 2, 2000, hearing entitled *Cyb^ Attack: Is the 
Government Safe?” 

Our office is committed to improving information sccuriQr and adequately 
protecting NASA information technology resovirces. Because vulnera¬ 
bilities to command and control operations of spacecraft are of great 
concern to the NASA Office of Inspector General, we have Issued several 
reports related to command and control issues. We also have issued 
many reports on other NASA information securiQr vulnerabilities. I 
would be glad to provide you briefings on these matters, at your 
convenience. 

If you or your staff have any questions or need additional information 
retarding our response, please contact me at (202) 358-1220 or Mr. Alan 
Lamoreaux, IG Executive Officer, at (202) 358-2061. 

Sincereiy, 

Roberta L. Gross 

Inspector General f 


Enclosure 


NATIONAL A£RONAirnC8 A STAGE ADMINISTRATION 
MS. ROBERTA GROSS 
INSPECTOR GENERAL 

RwwBifi OwfitteM forfHiria 
ScaiN Cwtttw JB gflTtmiBiam Aflrin 


BackgTMUidi 

The following quote U from the Mey 1999 OAO Information Security Rqiort entitled 
Many NASA MiMion-critkal Syftem Pace Seriotu RlAa. 'With nothing more than 
publicly available Internet access, we performed penetration testing at one of NASA's 10 
Held carters, simulating outside attackers. Our lest team was able to systematically 
penetrate systems involved in two mission critical functions: (1) supporting the ooromand 
and control of spacecraft and (2) processing and distributing scientiQc data returned ftora 
space. The systons siq^roiting the oommand and oontrol of spacecraft were involved in 
determining and veri^ing a variety of detailed spacecraft positioning data, such as orbital 
attitude (the precise orientation of a spacecraft with respect to the earth) and otba orbit 
information used in planning qracecraft maneuvers and establishing and maintaining 
communications with ground controllers....” 


Question 1: Ate spacecraft command and control lystcnaa claaaifled aationaJ 
security lystema? 

Answer. The spacecraft command and control systems are considered classified 

natio^ security systems only if the mission contains a classified payload 
or if the mission involves classified national security information. In 
addition, command and cootrol systems are classified if the information 
from the mission is used to augment luUional security opoadons in the 
event of a national emergency. 


Qnestion 2: What wai the rcaaoa for sach poor coatrob over snch a critical 
system? 

Answer. The controb and procedures in place to protect the critical systems were 
weak, in part, due to the absence of a robust Loformatioo security program 
which la^: adequate policies and procedures, adequately qualified 
infoiroation security professionals, appropriate program funding for 
security, and efifective enforcement and foUow-up to ensure compliance 
with applicable federal regulations. 


118 


QM«tiMi3< Hay Ifc—pwM mi Mm HmJT 

Answer Afcacy-wide eflortt sre uDderwty to addreM the probkois, but significaitf 

probkott remain (see reqmiM to ({ueidioos 2). I would note that the 
peaetratioB testing addretaed In dta OAO report involved ground-based 
ooinputen used for command and control It did not include radio- 
foequency baaed qMoecraft commanding. Radio firequeocy baaed 
qpacecnft commaiiding also requires adequate authentication regardless of 
whether the miaalon is national security related or purely commercial In 
(his area, NASA has not efieotively implemented policy refilling 
^)prDved oominimications security techniques be qiplM to NASA 
spacecnH 


} 


I 


f 



119 


Oi«o SfKaM, be. 
mil IU««Mdk 
Aum.TX7t75f 
rtm: 512 20105$ 
FMt 512 201506 
Kn p;l6irw«.aii;9xoni 

Miith31,2000 

ChiimvAn Pned Tbompoon A Senaior Joseph Uebennin 
Conunittoe on (JovrmmenuJ Affain 
United Suui Scnaio 
Waihingtofi. DC 20510^250 

Dear Senatoo *rhoropson A Ueberman: 

Thank you for the opportunity to offer additional information pertinent to the March 2,2000 hearing 
entitled *Cyber Attack: la the Government Safe?” I hope the following adequately answera the 
commiticc'i question as poaed by Senator Akaka. 

a V ESIlO N - 

Many believe that the private sector should and must take the predominant role in resolving the cyber 
network security problem. Do you share this view, and do ypu foresee the overall problem improving, 
or getting worse as technology evolvea? 

Msmsiii 

CIko believes that the private sector should lake the predominant role in resolving network cyber 
security challenges. However, the private sector nee^ and hopes to partner closely with government, 
combining our strengths and leveraging our core connpetencici to achieve network security. And 
separate and apart from industry efforts, the government clearly has responsibility for protecting 
government computers and networks from attack. We are confident that, working together, wc can 
collectively the chailenges as technology evolves. 

We believe that this public-private partnership is the most effective response to potential attacks. In the 
private sector, incentives must be put into place to encounige all network administnuon to deploy 
security technologies to protect themselves and their customers from hacker attacks. In the public sector, 
we are gimeful that the Federal Bureau of Investigation has devoted significant resources to 
investigating the recent denial of service attacks and we hope the perpetrators will be prosecuted to the 
fullest extent of the law. We also encourage the federal government to serve as c model for private 
industry by equipping its own computer networks with the best security measures possible. 

/. Thi Ptiygii Sector Should Uad Efforts lo Addrttt Other Sfcurih Challentu 

Going forward, it it clearly up to the private sector to assume the lead role in network security. Private 
sector leadership makes sense for several reasons, not the least of which is that the vast majority of 
networks are built, owned and operated by private industry. Market forces drive us to develop solutions 




(IICI tTITIII 



5 





quickly, wiih th* iim of cooUnued rohM ddivtiy of goods md services. In odditioo, the pHvsie lectof 
bdngi eevenl core compotcocks u> bear, ipodfi^y: 

• Msitei*4rivef) adudoni 

• Openliooil otpotise 

s Robust investment in research and development 
s The ability to respond qukkly to changini nurkot rR)uiremenU 

• Stsee^of-the^art training and education programs 

• IndustryKlriveo standards 

Private Industry has indeed begun stepping up to the plate in just the past few weeks. Already, each of 
the private infraatiucture aectors U ori^zing to addreaa concerns raised by Presidential Decition 
Directive 63 and the National PUn for Infocmation Systems Protection. Version 1.0, in cooperation with 
their government sector liaisons. The new Partnership for Critical Infrastructure Security is addressing 
axm wdoi concems, while providing a vehkle for private sector input into the national planning 
process and to the National Infrsstmcture Assurance Council as it develops advice for the President. We 
in the Partnership hope to more fully involve government leaden, the privacy community, and 
academia, and are iabng steps to do so. Meanwhile, we have identiflt^ broad areas of mutual concern 
to both government and the private sector, and are planning on a formal organization with defined 
luppoil and liaison relationthipi to expedite our work. 


LJillliMt Stiftr Nttdl an4 UtMt to FvUitrjrUh 0*r*rnmtin la Steurt our NhwoHu 

Pur the private sector lo succeed, however. It will need a strong and engaged partner in government. 
Government brings several unique crqiabilitiei to the Partnership including: 

• The ability to offer incentives for market-driven solutions beyond what due diligence and market 
pressure can provide. 

• Power to remove barriers to information sharing (e g. liability). 

• Access to threat information for a belter understanding of risk. 

• A bully pulpit from which to wage a national education program. 

t The ability to coordinate a national research and development agenda. 

Shsring of information on threau and effective reaponsea between private sector and government will be 
critical to our suoceas. 

. to TtA* KupcmtikUitt for to Own SftUmt. 

Oovenunent will (teed to uie the leading role with reapect to protecting goveminent lytiemi. 
ptiticularty military and national security itetwoeka. Govenunent ayatetna aic uniquely attractive targcli 
to hackera and contain uniquely critical data. In addition, the government muai defend against third 
parties ‘^jacking" its powerful nettvorks to attack otheta. We concur with the objectives tuied by thii 
Comotitlee — the fedei^ govenunent should strive to aerve u a model for private industry by equipping 
iu own computer networks with the best security measures possible. 


121 


i, WUllH trtkkmLmmrt ff OH Wmtl 

While fhoft tcrm protkmi m«y incrtAie, I believe ihil in ihc long tmm we cen dnmiticelly Improve 
the lUte of netwo^ eecunty by woridng together. To eddreet short term chtilenfcs. dite-ddvtn 
menigemefit dedtioiu cm efTect change. Security poouie attaesamcnu can nor only provide beaeline 
lecurity itaiei of depafiment, agency, and company nelworVt, they can serve as awarenea vchiclee for 
senior management 

In the long term, we must invest in a national cdixation and training progmm and conduct basic aiul 
applied security rteearch. Industry and academia can build nerwoct security training programs, but must 
collsborate with the government on training requirtmenu and aandardi. Coordinating university 
^ networic security syilsbl, retraining federal and private sector employees, and promoting corporate 

training programs should become a top agenda item. Building a reliabie, secure, neat generation 
Internet is pouibk if we meet research challenga together. New icchnoloiies like maiiciooi code 
detection, mobile agents, and senior technologies over CP could eapedite long-ienn iduuoni. We wont 
know what combinations are needed until we invest in and conduct this research together. 

I believe the Paitnenhip for Critical Infraitiucluie Security rtprtsenu a great beginning to the public* 
private coHaborition needed to fully resolve our common infrauructurt assurance problem. I look 
forward to working more closely with government, academia, and other industry partners as we 
empower our citizens and customers to lake full advanuge of the Intemci economy in the Internet 
century. 

Please contact me at (512) 378*1112 or e miDi: kwaisonCgcisco.com if you have additional questions. 


Sincerely, 

X 

Ken Wauon 
Cisco Systems, Inc. 


a 




o 



